Summary: SELinux is preventing /usr/bin/xauth "read" access on .xauth22XesY. Detailed Description: SELinux denied access requested by xauth. It is not expected that this access is required by xauth and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 Target Context unconfined_u:object_r:admin_home_t:s0 Target Objects .xauth22XesY [ file ] Source xauth Source Path /usr/bin/xauth Port <Unknown> Host (removed) Source RPM Packages xorg-x11-xauth-1.0.2-7.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-35.fc12 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name (removed) Platform Linux (removed) 2.6.31.5-104.fc12.i686 #1 SMP Wed Oct 28 03:07:25 EDT 2009 i686 i686 Alert Count 1 First Seen Wed 28 Oct 2009 04:46:27 PM GMT Last Seen Wed 28 Oct 2009 04:46:27 PM GMT Local ID fe82db82-348f-41e0-a053-1085c4b50002 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1256748387.646:21170): avc: denied { read } for pid=1897 comm="xauth" name=".xauth22XesY" dev=dm-0 ino=5140 scontext=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file node=(removed) type=SYSCALL msg=audit(1256748387.646:21170): arch=40000003 syscall=5 success=no exit=-13 a0=bf85df27 a1=0 a2=1b6 a3=804d4f2 items=0 ppid=1890 pid=1897 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="xauth" exe="/usr/bin/xauth" subj=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 key=(null) Hash String generated from selinux-policy-3.6.32-35.fc12,catchall,xauth,xauth_t,admin_home_t,file,read audit2allow suggests: #============= xauth_t ============== allow xauth_t admin_home_t:file read;
*** Bug 531529 has been marked as a duplicate of this bug. ***
Is this a fresh install or an upgrade. Could you execute restorecon -R -v /root and see if this happens again. /root/.xauth* used to have the wrong label, now they should be gettting created with the right label. So I need to know if you can create one with the wrong label, and how you are doing it.
There are 2 things that I was doing somewhere around the time that the file was creating 1. ran su - from a normal user account and ran yum -y update the 2. I suspended resumed the laptop. .xauth files created since install -rw-------. 1 root root 66 2009-10-22 13:44 .xauth186egX -rw-------. 2 root root 0 2009-10-28 16:46 .xauth22XesY-c -rw-------. 2 root root 0 2009-10-28 16:46 .xauth22XesY-l -rw-------. 1 root root 66 2009-10-22 15:06 .xauthCa8aJr -rw-------. 1 root root 66 2009-10-22 15:03 .xauthcUhid5 -rw-------. 1 root root 0 2009-10-28 17:38 .xauthtRFPGj -rw-------. 2 root root 0 2009-10-28 17:38 .xauthtRFPGj-c -rw-------. 2 root root 0 2009-10-28 17:38 .xauthtRFPGj-l Their current selinux attributes -rw-------. root root unconfined_u:object_r:admin_home_t:s0 .xauth186egX -rw-------. root root unconfined_u:object_r:xauth_home_t:s0 .xauth22XesY-c -rw-------. root root unconfined_u:object_r:xauth_home_t:s0 .xauth22XesY-l -rw-------. root root unconfined_u:object_r:admin_home_t:s0 .xauthCa8aJr -rw-------. root root unconfined_u:object_r:admin_home_t:s0 .xauthcUhid5 -rw-------. root root unconfined_u:object_r:admin_home_t:s0 .xauthtRFPGj -rw-------. root root unconfined_u:object_r:xauth_home_t:s0 .xauthtRFPGj-c -rw-------. root root unconfined_u:object_r:xauth_home_t:s0 .xauthtRFPGj-l Selinux attributes after restorecon -rw-------. root root system_u:object_r:xauth_home_t:s0 .xauth186egX -rw-------. root root unconfined_u:object_r:xauth_home_t:s0 .xauth22XesY-c -rw-------. root root unconfined_u:object_r:xauth_home_t:s0 .xauth22XesY-l -rw-------. root root system_u:object_r:xauth_home_t:s0 .xauthCa8aJr -rw-------. root root system_u:object_r:xauth_home_t:s0 .xauthcUhid5 -rw-------. root root system_u:object_r:xauth_home_t:s0 .xauthtRFPGj -rw-------. root root unconfined_u:object_r:xauth_home_t:s0 .xauthtRFPGj-c -rw-------. root root unconfined_u:object_r:xauth_home_t:s0 .xauthtRFPGj-l I'll repeat what I did and see if it triggers selinux again..
Running su - from gnome terminal seems to trigger the alerts... [root@localhost ~]# ls -alhZ .xauth* -rw-------. root root system_u:object_r:xauth_home_t:s0 .xauth186egX -rw-------. root root unconfined_u:object_r:xauth_home_t:s0 .xauth22XesY-c -rw-------. root root unconfined_u:object_r:xauth_home_t:s0 .xauth22XesY-l -rw-------. root root system_u:object_r:xauth_home_t:s0 .xauthCa8aJr -rw-------. root root system_u:object_r:xauth_home_t:s0 .xauthcUhid5 -rw-------. root root unconfined_u:object_r:admin_home_t:s0 .xauthqTYT7r -rw-------. root root unconfined_u:object_r:xauth_home_t:s0 .xauthqTYT7r-c -rw-------. root root unconfined_u:object_r:xauth_home_t:s0 .xauthqTYT7r-l -rw-------. root root unconfined_u:object_r:xauth_home_t:s0 .xauthtRFPGj-c -rw-------. root root unconfined_u:object_r:xauth_home_t:s0 .xauthtRFPGj-l [root@localhost ~]# ls -alhZ .xauth* -rw-------. root root system_u:object_r:xauth_home_t:s0 .xauth186egX -rw-------. root root unconfined_u:object_r:xauth_home_t:s0 .xauth22XesY-c -rw-------. root root unconfined_u:object_r:xauth_home_t:s0 .xauth22XesY-l -rw-------. root root system_u:object_r:xauth_home_t:s0 .xauthCa8aJr -rw-------. root root system_u:object_r:xauth_home_t:s0 .xauthcUhid5 -rw-------. root root unconfined_u:object_r:admin_home_t:s0 .xauthqTYT7r -rw-------. root root unconfined_u:object_r:xauth_home_t:s0 .xauthqTYT7r-c -rw-------. root root unconfined_u:object_r:xauth_home_t:s0 .xauthqTYT7r-l -rw-------. root root unconfined_u:object_r:xauth_home_t:s0 .xauthtRFPGj-c -rw-------. root root unconfined_u:object_r:xauth_home_t:s0 .xauthtRFPGj-l [root@localhost ~]# rm -rf .xauth* [root@localhost ~]# exit logout [johannbg@localhost ~]$ su - Password: [root@localhost ~]# ls -alh .xauth* -rw-------. 1 root root 0 2009-10-28 17:54 .xauthjq4gL7 -rw-------. 2 root root 0 2009-10-28 17:54 .xauthjq4gL7-c -rw-------. 2 root root 0 2009-10-28 17:54 .xauthjq4gL7-l 2 new reports popup Summary: SELinux is preventing /usr/bin/xauth "write" access on .xauthjq4gL7. Detailed Description: SELinux denied access requested by xauth. It is not expected that this access is required by xauth and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 Target Context unconfined_u:object_r:admin_home_t:s0 Target Objects .xauthjq4gL7 [ file ] Source xauth Source Path /usr/bin/xauth Port <Unknown> Host localhost.localdomain Source RPM Packages xorg-x11-xauth-1.0.2-7.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-35.fc12 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.31.5-104.fc12.i686 #1 SMP Wed Oct 28 03:07:25 EDT 2009 i686 i686 Alert Count 1 First Seen Wed 28 Oct 2009 05:54:34 PM GMT Last Seen Wed 28 Oct 2009 05:54:34 PM GMT Local ID e4c1c614-3f76-44bc-a2e0-0e5803241625 Line Numbers Raw Audit Messages node=localhost.localdomain type=AVC msg=audit(1256752474.834:21179): avc: denied { write } for pid=2526 comm="xauth" name=".xauthjq4gL7" dev=dm-0 ino=11681 scontext=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file node=localhost.localdomain type=SYSCALL msg=audit(1256752474.834:21179): arch=40000003 syscall=33 success=no exit=-13 a0=bfb4cf27 a1=2 a2=bfb4cf27 a3=804e88c items=0 ppid=2519 pid=2526 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="xauth" exe="/usr/bin/xauth" subj=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 key=(null) Summary: SELinux is preventing /usr/bin/xauth "read" access on .xauthjq4gL7. Detailed Description: SELinux denied access requested by xauth. It is not expected that this access is required by xauth and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 Target Context unconfined_u:object_r:admin_home_t:s0 Target Objects .xauthjq4gL7 [ file ] Source xauth Source Path /usr/bin/xauth Port <Unknown> Host localhost.localdomain Source RPM Packages xorg-x11-xauth-1.0.2-7.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-35.fc12 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.31.5-104.fc12.i686 #1 SMP Wed Oct 28 03:07:25 EDT 2009 i686 i686 Alert Count 0 First Seen Wed 28 Oct 2009 05:54:34 PM GMT Last Seen Wed 28 Oct 2009 05:54:34 PM GMT Local ID e9486bca-968a-4e66-8f84-c5d77742ec81 Line Numbers Raw Audit Messages node=localhost.localdomain type=AVC msg=audit(1256752474.873:21180): avc: denied { read } for pid=2526 comm="xauth" name=".xauthjq4gL7" dev=dm-0 ino=11681 scontext=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file node=localhost.localdomain type=SYSCALL msg=audit(1256752474.873:21180): arch=40000003 syscall=5 success=no exit=-13 a0=bfb4cf27 a1=0 a2=1b6 a3=804d4f2 items=0 ppid=2519 pid=2526 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="xauth" exe="/usr/bin/xauth" subj=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 key=(null)
Whoops forgot to post the selinux attributes on those newly created files.. [root@localhost ~]# ls -alhZ .xauth* -rw-------. root root unconfined_u:object_r:admin_home_t:s0 .xauthjq4gL7 -rw-------. root root unconfined_u:object_r:xauth_home_t:s0 .xauthjq4gL7-c -rw-------. root root unconfined_u:object_r:xauth_home_t:s0 .xauthjq4gL7-l
The bug is in pam_xauth. It needs to create the file with the correct label.
I am working on a patch.
Gave me the error several times this evening, opening up System Log Viewer and/or opening a terminal on the desktop and using su - to get root access.
The bug might be in pam_xauth but how is it possible that pam_xauth works fine in most cases - I've tried 'su -' on fully updated F-12 machine and it worked fine, the .xauth* files were created with the xauth_home_t context.
I think it matters whether the execed xauth creates the file or the pam_xauth creates it. Also are you running restorecond service?
*** Bug 530663 has been marked as a duplicate of this bug. ***
*** Bug 531699 has been marked as a duplicate of this bug. ***
Ok, I can finally reproduce it if I stop restorecond. So the patch to pam_xauth should be applied however I am still curious why such huge number of users is having this problem suddenly.
I had a different problem and started transitioning from unconfined_t to xauth_t to fix it. Which revealed this bug. The proper thing is to have this file labeled correctly always, since it is security sensitive.
I still think there might be some problem with restorecond as on one computer where a reproducer was found the restorecond run only as the user process restorecond -u and not the main daemon. However I am patching pam_xauth to label the file correctly from start.
Yes restorecond will only run as a user process unless the admin select to run it as a system service.
The fixed pam package was tagged to dist-f12 so it should appear in rawhide tomorrow.