Bug 532748 - SELinux is preventing the /usr/bin/xauth from using potentially mislabeled files (xauth.XXXXulGkJY).
Summary: SELinux is preventing the /usr/bin/xauth from using potentially mislabeled fi...
Alias: None
Product: Fedora
Classification: Fedora
Component: kdebase-runtime
Version: rawhide
Hardware: x86_64
OS: Linux
Target Milestone: ---
Assignee: Than Ngo
QA Contact: Fedora Extras Quality Assurance
Whiteboard: setroubleshoot_trace_hash:87e1938a8b3...
: 533096 (view as bug list)
Depends On: 531746
Blocks: F12Blocker-kde
TreeView+ depends on / blocked
Reported: 2009-11-03 17:29 UTC by Michal Hlavinka
Modified: 2009-11-05 08:48 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2009-11-04 23:48:16 UTC
Type: ---

Attachments (Terms of Use)

Description Michal Hlavinka 2009-11-03 17:29:29 UTC

SELinux is preventing the /usr/bin/xauth from using potentially mislabeled files

Detailed Description:

SELinux has denied xauth access to potentially mislabeled file(s)
(xauth.XXXXulGkJY). This means that SELinux will not allow xauth to use these
files. It is common for users to edit files in their home directory or tmp
directories and then move (mv) them to system directories. The problem is that
the files end up with the wrong file context which confined applications are not
allowed to access.

Allowing Access:

If you want xauth to access this files, you need to relabel them using
restorecon -v 'xauth.XXXXulGkJY'. You might want to relabel the entire directory
using restorecon -R -v ''.

Additional Information:

Source Context                unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:user_tmp_t:s0
Target Objects                xauth.XXXXulGkJY [ file ]
Source                        xauth
Source Path                   /usr/bin/xauth
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           xorg-x11-xauth-1.0.2-7.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-39.fc12
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   home_tmp_bad_labels
Host Name                     (removed)
Platform                      Linux (removed)
                     #1 SMP Tue Nov 3 00:28:52
                              EST 2009 x86_64 x86_64
Alert Count                   1
First Seen                    Tue 03 Nov 2009 06:27:48 PM CET
Last Seen                     Tue 03 Nov 2009 06:27:48 PM CET
Local ID                      2dc04747-1cfb-4428-a422-f21c03187e28
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1257269268.83:27041): avc:  denied  { unlink } for  pid=3104 comm="xauth" name="xauth.XXXXulGkJY" dev=sda3 ino=9145 scontext=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1257269268.83:27041): arch=c000003e syscall=87 success=no exit=-13 a0=11c6010 a1=34c4d7be80 a2=e2f a3=1 items=0 ppid=3103 pid=3104 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts5 ses=1 comm="xauth" exe="/usr/bin/xauth" subj=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 key=(null)

Hash String generated from  selinux-policy-3.6.32-39.fc12,home_tmp_bad_labels,xauth,xauth_t,user_tmp_t,file,unlink
audit2allow suggests:

#============= xauth_t ==============
allow xauth_t user_tmp_t:file unlink;

Comment 1 Michal Hlavinka 2009-11-03 17:31:59 UTC
this looks like other "xauth" selinux denials, but (at least for me) this one is different:

1) not in home, but in /tmp/
2) I'm using latest selinux-policy I've found in koji, where (afaik) the ordinary "xauth" problem should be fixed
3) this reports file as misslabeled, but when I do "ls -Z /tmp" the file is there, but with different context:
-rw-------. root     root     unconfined_u:object_r:xauth_tmp_t:s0 xauth.XXXXCu1LDS-n

Comment 2 Michal Hlavinka 2009-11-03 17:34:34 UTC
this selinux denial is preventing me from using system settings in kde that require root password first (for example login manager and samba)

Comment 3 Michal Hlavinka 2009-11-03 18:01:58 UTC
this is simplified reproducer:
/usr/libexec/kde4/kdesu -c /bin/true

it means that everything what requires root privileges in kde (and is not using policykit or something like that) wont work

Comment 4 Michal Hlavinka 2009-11-03 20:22:32 UTC
also bug #531746 is required to get kdesu work

Comment 5 Rex Dieter 2009-11-03 21:24:24 UTC
 up'd to 3.6.32-40.fc12 problem remained.

This is indeed bad news, adding to the -kde spin blocker

Comment 6 Daniel Walsh 2009-11-04 13:35:32 UTC
Does kdesu create a file in /tmp and then mv it to /root?  Or does it leave it in /tmp?

I can add a allow rule for F12 in Fixed in selinux-policy-3.6.32-41.fc12.noarch

But I would like to fix the behaviour to act correctly.

Comment 7 Michal Hlavinka 2009-11-04 13:40:45 UTC
was this really fixed or it was just closed by bot?

Comment 8 Daniel Walsh 2009-11-04 14:13:27 UTC
Maybe I am a bot.  No I have allowed the access bug I need the kdesu people to explain how their app works?

Relying on root objects looking at the same /tmp as the user might be a mistake.

Comment 9 Rex Dieter 2009-11-04 15:38:00 UTC

Anyone know of how kdesu works, or wants the task to find out (by looking at code, or asking upstream)?

(I'll test the selinux workaround, and drop from the tracker).

Comment 10 Rex Dieter 2009-11-04 15:44:14 UTC
Hrm, I see no newer selinux-policy builds yet, so I guess I can't test anything.  Dan, please ping us (or rel-eng folks) when it is.

Comment 11 Rex Dieter 2009-11-04 17:54:45 UTC
selinux-policy-3.6.32-41.fc12 confirmed good.

Comment 12 Adam Williamson 2009-11-04 18:19:33 UTC
please don't drop the bug from the blocker list; that makes those of us working on the blocker list lose track of it. we can't be sure the issue's taken care of properly until the fixed build is tagged.

tag request is: https://fedorahosted.org/rel-eng/ticket/3088

Fedora Bugzappers volunteer triage team

Comment 13 James Laska 2009-11-04 19:57:44 UTC
I'll queue up a retest and report back shortly ...

Comment 14 James Laska 2009-11-04 23:43:19 UTC
Also tested and confirmed the fix using selinux-policy-3.6.32-41.fc12.  Thanks for the simple reproducer: 

/usr/libexec/kde4/kdesu -c /bin/true

Comment 15 James Laska 2009-11-04 23:47:31 UTC
selinux-policy-3.6.32-41.fc12 has been tagged and the fix has been confirmed multiple times.  Moving this issue to MODIFIED, then CLOSED RAWHIDE.

Comment 16 Miroslav Grepl 2009-11-05 08:48:05 UTC
*** Bug 533096 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.