Bug 756936 - X can't forward through ssh
Summary: X can't forward through ssh
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 16
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-11-25 08:19 UTC by Vasiliy Glazov
Modified: 2012-04-22 03:35 UTC (History)
3 users (show)

Fixed In Version: selinux-policy-3.10.0-84.fc16
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-04-22 03:35:50 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
Selinux log (5.33 KB, text/x-log)
2012-03-15 16:38 UTC, Vasiliy Glazov 		no flags Details
View All

Description Vasiliy Glazov 2011-11-25 08:19:50 UTC 
Description of problem:
Then I'am try connect though ssh -X
I see message
/home/vascom/.Xauthority not writable, changes will be ignored

and can't run any gui program.

I found that change permissions not help but disabling (enforce 0) selinux solve problem.
I can't find any selinux warnings in /var/log/audit/audit.log or /var/log/audit/messages.log

Version-Release number of selected component (if applicable):
libselinux-python-2.1.6-4.fc16.x86_64
libselinux-utils-2.1.6-4.fc16.x86_64
selinux-policy-targeted-3.10.0-56.fc16.noarch
libselinux-devel-2.1.6-4.fc16.x86_64
selinux-policy-3.10.0-56.fc16.noarch
libselinux-2.1.6-4.fc16.x86_64


How reproducible:
Always

Steps to Reproduce:
ssh -X to Fedora 16
  
Please, correct this problem.
Comment 1 Miroslav Grepl 2011-11-28 09:05:26 UTC 
If you execute

# restorecon -R -v /home/vascom/.Xauthority

does it fix the issue?
Comment 2 Vasiliy Glazov 2011-11-30 15:08:31 UTC 
No, it not fix problem.
Comment 3 Miroslav Grepl 2011-12-02 10:19:07 UTC 
Ok,
could you execute on the server

# setenforce 0
# semodule -DB

try to ssh -X to this server

# ausearch -m avc -ts recent > ssh_selinux.log
# semodule -B

And attach this log please. Also could you add outputs of

# ls -Z /home/vascom/.Xauthority

# matchpathcon /home/vascom/.Xauthority
Comment 4 Vasiliy Glazov 2012-03-15 16:38:07 UTC 
Created attachment 570350 [details]
Selinux log

ls -Z /home/vascom/.Xauthority
-rw-------. vascom vascom system_u:object_r:xdm_home_t:s0  /home/vascom/.Xauthority

matchpathcon /home/vascom/.Xauthority
/home/vascom/.Xauthority        unconfined_u:object_r:xauth_home_t:s0
Comment 5 Daniel Walsh 2012-03-16 15:53:07 UTC 
Miroslav did we back port all of the file trans rules from F17 into F16?

 sesearch -T -s xdm_t -t user_home_dir_t | grep Xauth
WARNING: Policy would be downgraded from version 27 to 26.
type_transition xdm_t user_home_dir_t : file xauth_home_t ".Xauth"; 
type_transition xdm_t user_home_dir_t : file xauth_home_t ".Xauthority-c"; 
type_transition xdm_t user_home_dir_t : file xauth_home_t ".Xauthority-l"; 
type_transition xdm_t user_home_dir_t : file xauth_home_t ".Xauthority";
Comment 6 Miroslav Grepl 2012-03-19 14:11:40 UTC 
type_transition xdm_t user_home_dir_t : file xauth_home_t ".Xauthority-c"; 
type_transition xdm_t user_home_dir_t : file xauth_home_t ".Xauthority-l"; 

is missing.
Comment 7 Fedora Update System 2012-04-18 12:53:39 UTC 
selinux-policy-3.10.0-84.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-84.fc16
Comment 8 Fedora Update System 2012-04-22 03:35:50 UTC 
selinux-policy-3.10.0-84.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.