Bug 994752 - selinux policy causing "timeout in locking authority file" with xauth
selinux policy causing "timeout in locking authority file" with xauth
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
19
x86_64 Linux
unspecified Severity high
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-08-07 20:30 EDT by JR
Modified: 2013-10-24 13:50 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-10-24 13:50:31 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description JR 2013-08-07 20:30:55 EDT
Description of problem:

xauth fails due to SELinux blocking:
type=AVC msg=audit(1375919844.58:513): avc:  denied  { write } for  pid=1568 comm="xauth" name="USER" dev="dm-0" ino=261633 scontext=user_u:user_r:xauth_t:s0 tcontext=user_u:object_r:user_home_dir_t:s0 tclass=dir

/usr/bin/xauth:  timeout in locking authority file /home/USER/.Xauthority

Therefore X11 Forwarding fails

Note: /home is an encrypted partition

Version-Release number of selected component (if applicable):
selinux-policy              noarch     3.12.1-69.fc19
selinux-policy-devel        noarch     3.12.1-69.fc19
selinux-policy-targeted     noarch     3.12.1-69.fc19

How reproducible:
Always

Steps to Reproduce:
1. Create a user (confine them to user_u) and set a password for the user
2. ssh -X user@localhost

Actual results:

Connection hangs and X11 Forwarding fails

Expected results:

Direct login, .Xauthority file created and X11 Forwarding should work
Additional info:
Comment 1 Miroslav Grepl 2013-08-08 07:56:56 EDT
Please execute

# restorecon -R -v /home

to fix labeling.
Comment 2 JR 2013-08-08 19:13:20 EDT
Bad news:

# restorecon -R -v /home

Then as a user:

$ ssh -X USER@localhost
Last login: Thu Aug  8 06:54:02 2013 from localhost.localdomain
/usr/bin/xauth:  timeout in locking authority file /home/USER/.Xauthority

with an entry in the audit.log file of:

type=AVC msg=audit(1376003043.928:516): avc:  denied  { write } for  pid=1754 comm="xauth" name="USER" dev="dm-0" ino=261633 scontext=user_u:user_r:xauth_t:s0 tcontext=user_u:object_r:user_home_dir_t:s0 tclass=dir

If we look at the SELinux labels of the files:

ls -lahZ (in /home/USER)
drwx------. USER USER user_u:object_r:user_home_dir_t:s0 .
<..snip..>
-rw-------. USER USER user_u:object_r:xauth_home_t:s0  .Xauthority
Comment 3 Daniel Walsh 2013-08-09 08:48:37 EDT
1c6e172d9f095a296028935973c17b6a2e263d67 allows xauth_t to create ~/.Xauthority
in git.
Comment 4 JR 2013-08-12 18:45:41 EDT
Great!  If there is a F19 package I can test with the change, please let me know.  Verification won't be very hard as I'm using ssh -X all over the place.

Thanks!

Note You need to log in before you can comment on or make changes to this bug.