Bug 539998 - SELinux is preventing /usr/sbin/sshd "read" access on /usr/NX/home/nx/.ssh/authorized_keys2
Summary: SELinux is preventing /usr/sbin/sshd "read" access on /usr/NX/home/nx/.ssh/au...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 12
Hardware: i386
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-11-21 21:52 UTC by Richard
Modified: 2010-08-20 01:45 UTC (History)
5 users (show)

Fixed In Version: selinux-policy-3.6.32-120.fc12
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-12-03 13:34:25 UTC


Attachments (Terms of Use)
selinux log (2.61 KB, text/plain)
2009-11-21 21:53 UTC, Richard
no flags Details

Description Richard 2009-11-21 21:52:25 UTC
When trying to connect to the NX server, the client will fail to connect and the server will show the attached SELinux error.

Version: NoMachine NX 3.4.0-8



Cause:

After looking through various other bugs (which seem to show the same error, but the directory in question is /var/lib/nxserver/home/.ssh/ which is strange, perhaps NoMachine have moved the directories in a new version) I have managed to fix this by setting the following contexts :

/usr/NX/home/nx/.ssh(/.*)?    system_u:object_r:nx_server_home_ssh_t:s0
/usr/NX/home/nx    system_u:object_r:nx_server_home_ssh_t:s0

The second one was also required, as it complained about that after fixing the first.

Is it possible to release these contexts in an SELinux policy?

I hope this is submitted correctly, it's my first so if I have missed something let me know and I will add it!


Related : 

483507, 539549, 522817

Comment 1 Richard 2009-11-21 21:53:09 UTC
Created attachment 372800 [details]
selinux log

Comment 2 Axel Thimm 2009-11-22 00:30:18 UTC
/usr/NX is not used by Fedora packages. You probably have the Nomachine build installed.

This build is in contrast to the FHS, so I'd recommend using Fedora's build. If you do need the Nomachine build, then only a selinux policy entry could help, so I'm moving this to the selinux component. But still this is an external package which uses non-custom filesystem layout violating some assumptions about /usr.

Comment 3 Daniel Walsh 2009-11-23 15:17:25 UTC
I will fix the labeling for /opt/NX but you should use the fedora package.

Fixed in selinux-policy-3.6.32-48.fc12.noarch

Comment 4 Richard 2009-11-23 15:24:45 UTC
Many thanks both, next time I will use the Fedora build :)

Comment 5 Fedora Update System 2009-11-23 23:39:41 UTC
selinux-policy-3.6.32-49.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-49.fc12

Comment 6 Fedora Update System 2009-11-25 15:22:59 UTC
selinux-policy-3.6.32-49.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-12131

Comment 7 Richard 2009-11-27 13:36:38 UTC
Unless I did something wrong, policy 3.6.32-49 has not implented any changes for NX.
Just FYI, I did the following to remove my own policy:

semanage fcontext -d "/usr/NX/home(/.*)?"
restorecon -Rv /usr/NX/home/

Then I updated to new policy, rebooted and tested the dir but get the following:

[root@laptop ~]# ls -aRZ /usr/NX/home/nx/
/usr/NX/home/nx/:
drwx------. nx   root system_u:object_r:usr_t:s0       .
drwxr-xr-x. root root system_u:object_r:usr_t:s0       ..
-rw-r--r--. nx   root system_u:object_r:usr_t:s0       .bash_logout
-rw-r--r--. nx   root system_u:object_r:usr_t:s0       .bash_profile
-rw-r--r--. nx   root system_u:object_r:usr_t:s0       .bashrc
-rw-r--r--. nx   root system_u:object_r:usr_t:s0       .hushlogin
drwx------. nx   root system_u:object_r:usr_t:s0       .ssh
-rw-------. nx   nx   system_u:object_r:usr_t:s0       .Xauthority

/usr/NX/home/nx/.ssh:
drwx------. nx root system_u:object_r:usr_t:s0       .
drwx------. nx root system_u:object_r:usr_t:s0       ..
-rw-r--r--. nx root system_u:object_r:usr_t:s0       authorized_keys2
-rw-r--r--. nx root system_u:object_r:usr_t:s0       default.id_dsa.pub
-rw-r--r--. nx nx   system_u:object_r:usr_t:s0       known_hosts
-rw-r--r--. nx root system_u:object_r:usr_t:s0       restore.id_dsa.pub



I tried another restorecon -Rv /usr/NX/home/ just incase, to no avail.

Do I need to relabel the filesystem, I assumed not?

Comment 8 Daniel Walsh 2009-12-01 15:44:43 UTC
Your right I lied.  :^(

Fixed in selinux-policy-3.6.32-52.fc12.noarch

Comment 9 Fedora Update System 2009-12-01 16:51:11 UTC
selinux-policy-3.6.32-52.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-52.fc12

Comment 10 Fedora Update System 2009-12-02 04:34:09 UTC
selinux-policy-3.6.32-49.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 Richard 2009-12-02 08:02:23 UTC
This was closed as fixed in selinux-policy-3.6.32-49.fc12 but that is incorrect.
Waiting for selinux-policy-3.6.32-52.fc12 to be pushed to the testing repository.

Comment 12 Fedora Update System 2009-12-03 04:58:09 UTC
selinux-policy-3.6.32-52.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-12549

Comment 13 Richard 2009-12-03 13:11:36 UTC
Problem persists, again looks like nothing has been changed on the directory/files:

[remote@laptop ~]$ rpm -q selinux-policy
selinux-policy-3.6.32-52.fc12.noarch


[remote@laptop ~]# ls -aZ /usr/NX/home/nx/.ssh/
drwx------. nx root system_u:object_r:usr_t:s0       .
drwx------. nx root system_u:object_r:usr_t:s0       ..
-rw-r--r--. nx root system_u:object_r:usr_t:s0       authorized_keys2
-rw-r--r--. nx root system_u:object_r:usr_t:s0       default.id_dsa.pub
-rw-r--r--. nx nx   system_u:object_r:usr_t:s0       known_hosts
-rw-r--r--. nx root system_u:object_r:usr_t:s0       restore.id_dsa.pub

Comment 14 Miroslav Grepl 2009-12-03 13:22:29 UTC
Make sure, that you also updated selinux-policy-targeted package.

rpm -q selinux-policy-targeted

Comment 15 Richard 2009-12-03 13:34:25 UTC
Ah ha, that did it, many thanks, I've closed it as working now.

Comment 16 Miroslav Grepl 2009-12-03 13:41:36 UTC
Richard,

could you click the following link and update the karma please. 

https://admin.fedoraproject.org/updates/F12/FEDORA-2009-12549

Comment 17 Fedora Update System 2009-12-03 20:29:21 UTC
selinux-policy-3.6.32-55.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-55.fc12

Comment 18 Fedora Update System 2009-12-08 07:54:20 UTC
selinux-policy-3.6.32-55.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 19 Fedora Update System 2010-08-05 13:19:58 UTC
selinux-policy-3.6.32-120.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-120.fc12

Comment 20 Fedora Update System 2010-08-20 01:40:17 UTC
selinux-policy-3.6.32-120.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.