On Fri, 2008-07-11 at 15:43 +0000, Carl D. Roth wrote:
> On Fri, 11 Jul 2008 08:14:21 -0700, Dan Thurman wrote:
>
> > I am not sure what this is, and /.xauth does not exist, but here is the
> > log:
> > ================================
> > Summary:
> >
> > SELinux is preventing su (initrc_su_t) "execute" to ./xauth
> > (xauth_exec_t).
> >
> > Detailed Description:
> >
>
> I had that happen on one of my systems too. It was starting a service in
> init.d that changed userid's via 'su'. Since it was a headless
> application (i.e. daemon) I chose to ignore the errors as follows:
>
> gen_require(`
> type initrc_su_t;
> type sshd_t;
> type xauth_exec_t;
> ')
>
> dontaudit initrc_su_t sshd_t:key { search };
> dontaudit initrc_su_t xauth_exec_t:file { execute };
>
> As you can see, the 'su' session also tried to grovel around for SSH keys.
If there is a service which runs su in init scripts it should be
reported as bug on the package which owns the service. 'runuser' should
be used instead of 'su' in init scripts.
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
