Description of problem: When authconfig / system-config-authentication is run in a VNC session under regular user, there are AVC's reported in audit log. Version-Release number of selected component (if applicable): selinux-policy-2.4.6-203.el5.noarch Steps to Reproduce: # useradd tester # su - tester # mkdir .vnc # echo gnome-session > .vnc/xstartup # chmod 755 .vnc/xstartup # vncserver :77 * set vnc password Starting applications specified in /home/tester/.vnc/xstartup Log file is /home/tester/.vnc/x86-64-5s-m1.lab.bos.redhat.com:77.log * run vnc viewer and connect to remote-host:77 * click system > administration > authentication * enable/disable caching * click OK The following AVC alert appear: SELinux is preventing the nscd from using potentially mislabeled files (/home/tester/.vnc/x86-64-5s-m1.lab.bos.redhat.com:77.log). Detailed Description: SELinux has denied nscd access to potentially mislabeled file(s) (/home/tester/.vnc/x86-64-5s-m1.lab.bos.redhat.com:77.log). This means that SELinux will not allow nscd to use these files. It is common for users to edit files in their home directory or tmp directories and then move (mv) them to system directories. The problem is that the files end up with the wrong file context which confined applications are not allowed to access. Allowing Access: If you want nscd to access this files, you need to relabel them using restorecon -v '/home/tester/.vnc/x86-64-5s-m1.lab.bos.redhat.com:77.log'. You might want to relabel the entire directory using restorecon -R -v '/home/tester/.vnc'. Additional Information: Source Context root:system_r:nscd_t Target Context root:object_r:user_home_t Target Objects /home/tester/.vnc/x86-64-5s-m1.lab.bos.redhat.com: 77.log [ file ] Source nscd Source Path /usr/sbin/nscd Port <Unknown> Host x86-64-5s-m1.lab.bos.redhat.com Source RPM Packages nscd-2.5-34 Target RPM Packages Policy RPM selinux-policy-2.4.6-203.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name home_tmp_bad_labels Host Name x86-64-5s-m1.lab.bos.redhat.com Platform Linux x86-64-5s-m1.lab.bos.redhat.com 2.6.18-128.1.6.el5xen #1 SMP Tue Mar 24 12:28:27 EDT 2009 x86_64 x86_64 Alert Count 1 First Seen Tue May 12 04:55:36 2009 Last Seen Tue May 12 04:55:36 2009 Local ID 368f68fa-2680-42a3-bfed-cba4ab0b3fa6 Line Numbers Raw Audit Messages host=x86-64-5s-m1.lab.bos.redhat.com type=AVC msg=audit(1242118536.178:28817): avc: denied { append } for pid=20666 comm="nscd" path="/home/tester/.vnc/x86-64-5s-m1.lab.bos.redhat.com:77.log" dev=sdb1 ino=11010453 scontext=root:system_r:nscd_t:s0 tcontext=root:object_r:user_home_t:s0 tclass=file host=x86-64-5s-m1.lab.bos.redhat.com type=AVC msg=audit(1242118536.178:28817): avc: denied { append } for pid=20666 comm="nscd" path="/home/tester/.vnc/x86-64-5s-m1.lab.bos.redhat.com:77.log" dev=sdb1 ino=11010453 scontext=root:system_r:nscd_t:s0 tcontext=root:object_r:user_home_t:s0 tclass=file host=x86-64-5s-m1.lab.bos.redhat.com type=SYSCALL msg=audit(1242118536.178:28817): arch=c000003e syscall=59 success=yes exit=0 a0=67cb640 a1=67cb760 a2=67aec80 a3=8 items=0 ppid=20661 pid=20666 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4259 comm="nscd" exe="/usr/sbin/nscd" subj=root:system_r:nscd_t:s0 key=(null) Similarly, there are AVC message for other services being stopped/started: SELinux is preventing the pwconv from using potentially mislabeled files... SELinux is preventing the grpconv from using potentially mislabeled files... SELinux is preventing the pmap_dump from using potentially mislabeled files... SELinux is preventing the portmap from using potentially mislabeled files... SELinux is preventing the pmap_set from using potentially mislabeled files... SELinux is preventing the setsebool from using potentially mislabeled files... SELinux is preventing the ypbind from using potentially mislabeled files...
The problem is that all of these confined domains have their stdout set to the vnc log file which is causing avcs, since they are not allowed to append to files lables as user_home_t. THis is a tough problem to fix, and really is not a security problem since the output of these services will run fine. I think we have fixes in F10/F11 that would make this problem go away, but I do not intend to back port to RHEL5.
You can add these rules for now using # grep avc /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp