Re: SSH / permissions problem

Gabriel VLASIU <gabriel@xxxxxxxxxx> · Wed, 14 Jul 2010 12:23:58 +0300 (EEST)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 13 Jul 2010, Gary Stainburn wrote:

> [gary@dcomp5 ~]$ ssh -Y -C lcomp3 -l root
> root@lcomp3's password: 
> Last login: Tue Jul 13 16:04:20 2010 from gary.ringways.co.uk
> [root@lcomp3 ~]# kcalc 
> [root@lcomp3 ~]# logout
> [gary@dcomp5 ~]$ ssh -Y -C lcomp3
> gary@lcomp3's password: 
> Last login: Tue Jul 13 15:55:16 2010 from gary.ringways.co.uk
> /usr/bin/xauth:  timeout in locking authority file /home/gary/.Xauthority
> [gary@lcomp3 ~]$ kcalc
> X11 connection rejected because of wrong authentication.
> kcalc: cannot connect to X server localhost:11.0
> [gary@lcomp3 ~]$ 
xauth fail to regenerate the .Xauthority file because of selinux. I seen 
this on many F12/F13.
You can test this by removing .Xauthority* files and put selinux in 
permissive mode.

My solution was to generate a custom policy file:

>>>>>>>>>>> xauthI.log <<<<<
type=AVC msg=audit(1275899931.248:12726): avc:  denied  { write } for  pid=2989 comm="xauth" name=".Xauthority" dev=sda6 ino=652876 scontext=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_home_t:s0 tclass=file
type=AVC msg=audit(1275899931.252:12727): avc:  denied  { read } for  pid=2989 comm="xauth" name=".Xauthority" dev=sda6 ino=652876 scontext=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_home_t:s0 tclass=file
type=AVC msg=audit(1275900392.342:13101): avc:  denied  { open } for  pid=3750 comm="xauth" name=".Xauthority" dev=sda6 ino=652876 scontext=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_home_t:s0 tclass=file
type=AVC msg=audit(1275900612.472:13355): avc:  denied  { getattr } for  pid=4401 comm="xauth" path="/home/xxxx/.Xauthority" dev=sda6 ino=653013 scontext=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_home_t:s0 tclass=file
type=AVC msg=audit(1275900681.673:13378): avc:  denied  { unlink } for  pid=4453 comm="xauth" name=".Xauthority" dev=sda6 ino=653013 scontext=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_home_t:s0 tclass=file
<<<<<<<<<<<<<<<<<<<<<<<<<<<<

# cat xauthI.log | audit2allow -M xauthI
# semodule -i xauthI.pp 
(do not forget to re-enable selinux if required).

Also have a look in xauthI.te:
	#!!!! This avc has a dontaudit rule in the current policy
So this is why you wont see an "avc:  denied" in /var/log/audit/audit.log.

Gabriel

- -- 

// Gabriel VLASIU
//
// OpenGPG-KeyID      : 0xE684206E
// OpenGPG-Fingerprint: 0C3D 9F8B 725D E243 CB3C 8428 796A DB1F E684 206E
// OpenGPG-URL        : http://www.vlasiu.net/public.key

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFMPYIyeWrbH+aEIG4RAlb9AJ93KHE54MmafzPz7Od+Gvf1NMtJHgCfQxxa
I7No0aEBuFT37d2m4MvY+uE=
=axNB
-----END PGP SIGNATURE-----
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines