When trying to connect to the NX server, the client will fail to connect and the server will show the attached SELinux error. Version: NoMachine NX 3.4.0-8 Cause: After looking through various other bugs (which seem to show the same error, but the directory in question is /var/lib/nxserver/home/.ssh/ which is strange, perhaps NoMachine have moved the directories in a new version) I have managed to fix this by setting the following contexts : /usr/NX/home/nx/.ssh(/.*)? system_u:object_r:nx_server_home_ssh_t:s0 /usr/NX/home/nx system_u:object_r:nx_server_home_ssh_t:s0 The second one was also required, as it complained about that after fixing the first. Is it possible to release these contexts in an SELinux policy? I hope this is submitted correctly, it's my first so if I have missed something let me know and I will add it! Related : 483507, 539549, 522817
Created attachment 372800 [details] selinux log
/usr/NX is not used by Fedora packages. You probably have the Nomachine build installed. This build is in contrast to the FHS, so I'd recommend using Fedora's build. If you do need the Nomachine build, then only a selinux policy entry could help, so I'm moving this to the selinux component. But still this is an external package which uses non-custom filesystem layout violating some assumptions about /usr.
I will fix the labeling for /opt/NX but you should use the fedora package. Fixed in selinux-policy-3.6.32-48.fc12.noarch
Many thanks both, next time I will use the Fedora build :)
selinux-policy-3.6.32-49.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-49.fc12
selinux-policy-3.6.32-49.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-12131
Unless I did something wrong, policy 3.6.32-49 has not implented any changes for NX. Just FYI, I did the following to remove my own policy: semanage fcontext -d "/usr/NX/home(/.*)?" restorecon -Rv /usr/NX/home/ Then I updated to new policy, rebooted and tested the dir but get the following: [root@laptop ~]# ls -aRZ /usr/NX/home/nx/ /usr/NX/home/nx/: drwx------. nx root system_u:object_r:usr_t:s0 . drwxr-xr-x. root root system_u:object_r:usr_t:s0 .. -rw-r--r--. nx root system_u:object_r:usr_t:s0 .bash_logout -rw-r--r--. nx root system_u:object_r:usr_t:s0 .bash_profile -rw-r--r--. nx root system_u:object_r:usr_t:s0 .bashrc -rw-r--r--. nx root system_u:object_r:usr_t:s0 .hushlogin drwx------. nx root system_u:object_r:usr_t:s0 .ssh -rw-------. nx nx system_u:object_r:usr_t:s0 .Xauthority /usr/NX/home/nx/.ssh: drwx------. nx root system_u:object_r:usr_t:s0 . drwx------. nx root system_u:object_r:usr_t:s0 .. -rw-r--r--. nx root system_u:object_r:usr_t:s0 authorized_keys2 -rw-r--r--. nx root system_u:object_r:usr_t:s0 default.id_dsa.pub -rw-r--r--. nx nx system_u:object_r:usr_t:s0 known_hosts -rw-r--r--. nx root system_u:object_r:usr_t:s0 restore.id_dsa.pub I tried another restorecon -Rv /usr/NX/home/ just incase, to no avail. Do I need to relabel the filesystem, I assumed not?
Your right I lied. :^( Fixed in selinux-policy-3.6.32-52.fc12.noarch
selinux-policy-3.6.32-52.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-52.fc12
selinux-policy-3.6.32-49.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
This was closed as fixed in selinux-policy-3.6.32-49.fc12 but that is incorrect. Waiting for selinux-policy-3.6.32-52.fc12 to be pushed to the testing repository.
selinux-policy-3.6.32-52.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-12549
Problem persists, again looks like nothing has been changed on the directory/files: [remote@laptop ~]$ rpm -q selinux-policy selinux-policy-3.6.32-52.fc12.noarch [remote@laptop ~]# ls -aZ /usr/NX/home/nx/.ssh/ drwx------. nx root system_u:object_r:usr_t:s0 . drwx------. nx root system_u:object_r:usr_t:s0 .. -rw-r--r--. nx root system_u:object_r:usr_t:s0 authorized_keys2 -rw-r--r--. nx root system_u:object_r:usr_t:s0 default.id_dsa.pub -rw-r--r--. nx nx system_u:object_r:usr_t:s0 known_hosts -rw-r--r--. nx root system_u:object_r:usr_t:s0 restore.id_dsa.pub
Make sure, that you also updated selinux-policy-targeted package. rpm -q selinux-policy-targeted
Ah ha, that did it, many thanks, I've closed it as working now.
Richard, could you click the following link and update the karma please. https://admin.fedoraproject.org/updates/F12/FEDORA-2009-12549
selinux-policy-3.6.32-55.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-55.fc12
selinux-policy-3.6.32-55.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
selinux-policy-3.6.32-120.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-120.fc12
selinux-policy-3.6.32-120.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.