Bug 531530 - SELinux is preventing /usr/bin/xauth "read" access on .xauth22XesY.
SELinux is preventing /usr/bin/xauth "read" access on .xauth22XesY.
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: pam (Show other bugs)
rawhide
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Mraz
Fedora Extras Quality Assurance
setroubleshoot_trace_hash:cee9a586857...
:
: 530663 531529 531699 (view as bug list)
Depends On:
Blocks: F12Blocker/F12FinalBlocker
  Show dependency treegraph
 
Reported: 2009-10-28 12:52 EDT by Jóhann B. Guðmundsson
Modified: 2013-01-10 00:33 EST (History)
43 users (show)

See Also:
Fixed In Version: pam-1.1.0-6.fc12
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-10-29 15:24:52 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Jóhann B. Guðmundsson 2009-10-28 12:52:16 EDT
Summary:

SELinux is preventing /usr/bin/xauth "read" access on .xauth22XesY.

Detailed Description:

SELinux denied access requested by xauth. It is not expected that this access is
required by xauth and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:admin_home_t:s0
Target Objects                .xauth22XesY [ file ]
Source                        xauth
Source Path                   /usr/bin/xauth
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           xorg-x11-xauth-1.0.2-7.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-35.fc12
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed) 2.6.31.5-104.fc12.i686
                              #1 SMP Wed Oct 28 03:07:25 EDT 2009 i686 i686
Alert Count                   1
First Seen                    Wed 28 Oct 2009 04:46:27 PM GMT
Last Seen                     Wed 28 Oct 2009 04:46:27 PM GMT
Local ID                      fe82db82-348f-41e0-a053-1085c4b50002
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1256748387.646:21170): avc:  denied  { read } for  pid=1897 comm="xauth" name=".xauth22XesY" dev=dm-0 ino=5140 scontext=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1256748387.646:21170): arch=40000003 syscall=5 success=no exit=-13 a0=bf85df27 a1=0 a2=1b6 a3=804d4f2 items=0 ppid=1890 pid=1897 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="xauth" exe="/usr/bin/xauth" subj=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  selinux-policy-3.6.32-35.fc12,catchall,xauth,xauth_t,admin_home_t,file,read
audit2allow suggests:

#============= xauth_t ==============
allow xauth_t admin_home_t:file read;
Comment 1 Daniel Walsh 2009-10-28 13:13:51 EDT
*** Bug 531529 has been marked as a duplicate of this bug. ***
Comment 2 Daniel Walsh 2009-10-28 13:16:40 EDT
Is this a fresh install or an upgrade.  Could you execute restorecon -R -v
/root and see if this happens again.

/root/.xauth* used to have the wrong label, now they should be gettting created
with the right label.  So I need to know if you can create one with the wrong
label, and how you are doing it.
Comment 3 Jóhann B. Guðmundsson 2009-10-28 13:51:20 EDT
There are 2 things that I was doing somewhere around the time that the file was creating 1. ran su - from a normal user account and ran yum -y update the 
2. I suspended resumed the laptop.  

.xauth files created since install

-rw-------.  1 root root   66 2009-10-22 13:44 .xauth186egX
-rw-------.  2 root root    0 2009-10-28 16:46 .xauth22XesY-c
-rw-------.  2 root root    0 2009-10-28 16:46 .xauth22XesY-l
-rw-------.  1 root root   66 2009-10-22 15:06 .xauthCa8aJr
-rw-------.  1 root root   66 2009-10-22 15:03 .xauthcUhid5
-rw-------.  1 root root    0 2009-10-28 17:38 .xauthtRFPGj
-rw-------.  2 root root    0 2009-10-28 17:38 .xauthtRFPGj-c
-rw-------.  2 root root    0 2009-10-28 17:38 .xauthtRFPGj-l

Their current selinux attributes

-rw-------. root root unconfined_u:object_r:admin_home_t:s0 .xauth186egX
-rw-------. root root unconfined_u:object_r:xauth_home_t:s0 .xauth22XesY-c
-rw-------. root root unconfined_u:object_r:xauth_home_t:s0 .xauth22XesY-l
-rw-------. root root unconfined_u:object_r:admin_home_t:s0 .xauthCa8aJr
-rw-------. root root unconfined_u:object_r:admin_home_t:s0 .xauthcUhid5
-rw-------. root root unconfined_u:object_r:admin_home_t:s0 .xauthtRFPGj
-rw-------. root root unconfined_u:object_r:xauth_home_t:s0 .xauthtRFPGj-c
-rw-------. root root unconfined_u:object_r:xauth_home_t:s0 .xauthtRFPGj-l

Selinux attributes after restorecon

-rw-------. root root system_u:object_r:xauth_home_t:s0 .xauth186egX
-rw-------. root root unconfined_u:object_r:xauth_home_t:s0 .xauth22XesY-c
-rw-------. root root unconfined_u:object_r:xauth_home_t:s0 .xauth22XesY-l
-rw-------. root root system_u:object_r:xauth_home_t:s0 .xauthCa8aJr
-rw-------. root root system_u:object_r:xauth_home_t:s0 .xauthcUhid5
-rw-------. root root system_u:object_r:xauth_home_t:s0 .xauthtRFPGj
-rw-------. root root unconfined_u:object_r:xauth_home_t:s0 .xauthtRFPGj-c
-rw-------. root root unconfined_u:object_r:xauth_home_t:s0 .xauthtRFPGj-l

I'll repeat what I did and see if it triggers selinux again..
Comment 4 Jóhann B. Guðmundsson 2009-10-28 13:59:27 EDT
Running su - from gnome terminal seems to trigger the alerts... 

[root@localhost ~]# ls -alhZ .xauth* 
-rw-------. root root system_u:object_r:xauth_home_t:s0 .xauth186egX
-rw-------. root root unconfined_u:object_r:xauth_home_t:s0 .xauth22XesY-c
-rw-------. root root unconfined_u:object_r:xauth_home_t:s0 .xauth22XesY-l
-rw-------. root root system_u:object_r:xauth_home_t:s0 .xauthCa8aJr
-rw-------. root root system_u:object_r:xauth_home_t:s0 .xauthcUhid5
-rw-------. root root unconfined_u:object_r:admin_home_t:s0 .xauthqTYT7r
-rw-------. root root unconfined_u:object_r:xauth_home_t:s0 .xauthqTYT7r-c
-rw-------. root root unconfined_u:object_r:xauth_home_t:s0 .xauthqTYT7r-l
-rw-------. root root unconfined_u:object_r:xauth_home_t:s0 .xauthtRFPGj-c
-rw-------. root root unconfined_u:object_r:xauth_home_t:s0 .xauthtRFPGj-l

[root@localhost ~]# ls -alhZ .xauth* 
-rw-------. root root system_u:object_r:xauth_home_t:s0 .xauth186egX
-rw-------. root root unconfined_u:object_r:xauth_home_t:s0 .xauth22XesY-c
-rw-------. root root unconfined_u:object_r:xauth_home_t:s0 .xauth22XesY-l
-rw-------. root root system_u:object_r:xauth_home_t:s0 .xauthCa8aJr
-rw-------. root root system_u:object_r:xauth_home_t:s0 .xauthcUhid5
-rw-------. root root unconfined_u:object_r:admin_home_t:s0 .xauthqTYT7r
-rw-------. root root unconfined_u:object_r:xauth_home_t:s0 .xauthqTYT7r-c
-rw-------. root root unconfined_u:object_r:xauth_home_t:s0 .xauthqTYT7r-l
-rw-------. root root unconfined_u:object_r:xauth_home_t:s0 .xauthtRFPGj-c
-rw-------. root root unconfined_u:object_r:xauth_home_t:s0 .xauthtRFPGj-l
[root@localhost ~]# rm -rf .xauth* 
[root@localhost ~]# exit
logout
[johannbg@localhost ~]$ su -
Password: 
[root@localhost ~]# ls -alh .xauth*
-rw-------. 1 root root 0 2009-10-28 17:54 .xauthjq4gL7
-rw-------. 2 root root 0 2009-10-28 17:54 .xauthjq4gL7-c
-rw-------. 2 root root 0 2009-10-28 17:54 .xauthjq4gL7-l

2 new reports popup 

Summary:

SELinux is preventing /usr/bin/xauth "write" access on .xauthjq4gL7.

Detailed Description:

SELinux denied access requested by xauth. It is not expected that this access is
required by xauth and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:admin_home_t:s0
Target Objects                .xauthjq4gL7 [ file ]
Source                        xauth
Source Path                   /usr/bin/xauth
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           xorg-x11-xauth-1.0.2-7.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-35.fc12
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.31.5-104.fc12.i686
                              #1 SMP Wed Oct 28 03:07:25 EDT 2009 i686 i686
Alert Count                   1
First Seen                    Wed 28 Oct 2009 05:54:34 PM GMT
Last Seen                     Wed 28 Oct 2009 05:54:34 PM GMT
Local ID                      e4c1c614-3f76-44bc-a2e0-0e5803241625
Line Numbers                  

Raw Audit Messages            

node=localhost.localdomain type=AVC msg=audit(1256752474.834:21179): avc:  denied  { write } for  pid=2526 comm="xauth" name=".xauthjq4gL7" dev=dm-0 ino=11681 scontext=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file

node=localhost.localdomain type=SYSCALL msg=audit(1256752474.834:21179): arch=40000003 syscall=33 success=no exit=-13 a0=bfb4cf27 a1=2 a2=bfb4cf27 a3=804e88c items=0 ppid=2519 pid=2526 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="xauth" exe="/usr/bin/xauth" subj=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 key=(null)

Summary:

SELinux is preventing /usr/bin/xauth "read" access on .xauthjq4gL7.

Detailed Description:

SELinux denied access requested by xauth. It is not expected that this access is
required by xauth and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:admin_home_t:s0
Target Objects                .xauthjq4gL7 [ file ]
Source                        xauth
Source Path                   /usr/bin/xauth
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           xorg-x11-xauth-1.0.2-7.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-35.fc12
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.31.5-104.fc12.i686
                              #1 SMP Wed Oct 28 03:07:25 EDT 2009 i686 i686
Alert Count                   0
First Seen                    Wed 28 Oct 2009 05:54:34 PM GMT
Last Seen                     Wed 28 Oct 2009 05:54:34 PM GMT
Local ID                      e9486bca-968a-4e66-8f84-c5d77742ec81
Line Numbers                  

Raw Audit Messages            

node=localhost.localdomain type=AVC msg=audit(1256752474.873:21180): avc:  denied  { read } for  pid=2526 comm="xauth" name=".xauthjq4gL7" dev=dm-0 ino=11681 scontext=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file

node=localhost.localdomain type=SYSCALL msg=audit(1256752474.873:21180): arch=40000003 syscall=5 success=no exit=-13 a0=bfb4cf27 a1=0 a2=1b6 a3=804d4f2 items=0 ppid=2519 pid=2526 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="xauth" exe="/usr/bin/xauth" subj=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 key=(null)
Comment 5 Jóhann B. Guðmundsson 2009-10-28 14:01:04 EDT
Whoops forgot to post the selinux attributes on those newly created files..  

[root@localhost ~]# ls -alhZ .xauth* 
-rw-------. root root unconfined_u:object_r:admin_home_t:s0 .xauthjq4gL7
-rw-------. root root unconfined_u:object_r:xauth_home_t:s0 .xauthjq4gL7-c
-rw-------. root root unconfined_u:object_r:xauth_home_t:s0 .xauthjq4gL7-l
Comment 6 Daniel Walsh 2009-10-28 14:36:10 EDT
The bug is in pam_xauth.

It needs to create the file with the correct label.
Comment 7 Daniel Walsh 2009-10-28 14:36:31 EDT
I am working on a patch.
Comment 8 Cia Watson 2009-10-28 21:44:57 EDT
Gave me the error several times this evening, opening up System Log Viewer and/or opening a terminal on the desktop and using su - to get root access.
Comment 9 Tomas Mraz 2009-10-29 07:17:34 EDT
The bug might be in pam_xauth but how is it possible that pam_xauth works fine in most cases - I've tried 'su -' on fully updated F-12 machine and it worked fine, the .xauth* files were created with the xauth_home_t context.
Comment 10 Daniel Walsh 2009-10-29 09:00:44 EDT
I think it matters whether the execed xauth creates the file or the pam_xauth creates it.  Also are you running restorecond service?
Comment 11 Daniel Walsh 2009-10-29 09:01:52 EDT
*** Bug 530663 has been marked as a duplicate of this bug. ***
Comment 12 Tomas Mraz 2009-10-29 09:20:52 EDT
*** Bug 531699 has been marked as a duplicate of this bug. ***
Comment 13 Tomas Mraz 2009-10-29 09:23:33 EDT
Ok, I can finally reproduce it if I stop restorecond. So the patch to pam_xauth should be applied however I am still curious why such huge number of users is having this problem suddenly.
Comment 14 Daniel Walsh 2009-10-29 09:28:27 EDT
I had a different problem and started transitioning from unconfined_t to xauth_t to fix it.  Which revealed this bug.  The proper thing is to have this file labeled correctly always, since it is security sensitive.
Comment 15 Tomas Mraz 2009-10-29 09:32:29 EDT
I still think there might be some problem with restorecond as on one computer where a reproducer was found the restorecond run only as the user process restorecond -u and not the main daemon.

However I am patching pam_xauth to label the file correctly from start.
Comment 16 Daniel Walsh 2009-10-29 09:45:14 EDT
Yes restorecond will only run as a user process unless the admin select to run it as a system service.
Comment 17 Tomas Mraz 2009-10-29 15:24:21 EDT
The fixed pam package was tagged to dist-f12 so it should appear in rawhide tomorrow.

Note You need to log in before you can comment on or make changes to this bug.