Re: AVC:s on xauth file when doing su

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, Dec 29, 2009 at 10:32:19PM +0100, Göran Uddeborg wrote:
> Whenever I do "su" in an xterm window, I get two AVC denials.  The
> command xauth is denied to read and write a file .xauthXXXXX where
> XXXXX is some random string different each time.  (I encose an example
> below.)
> 
> I would bugzilla this, but I'm (as often) not quite sure if it's the
> policy or if it's me.  That is, if maybe this is not intended to be
> allowed?  Or if there there something else I might be missing?  I
> can't see any boolean I would connect to this.
> 
> So, is this a bug I should report, or is it intentional?

I think this may be a bug here:

optional_policy(`
		domain_trans(sshd_t, xauth_exec_t, userdomain)
	')

I do not think we want sshd_t to domain transition to a user domain upon executing files with type xauth_exec_t.

Instead i would argue for a xauth_domtrans(sshd_t)

I could be wrong and i do not know about any complications.

I think this is a valid bug. consider reporting it with the AVC denials and my analys to bugzilla/selinux-policy.



> 
> ----
> time->Tue Dec 29 21:32:48 2009
> type=SYSCALL msg=audit(1262118768.835:41732): arch=c000003e syscall=21 success=no exit=-13 a0=7fff99bd14d5 a1=2 a2=0 a3=7fff99bcfd10 items=0 ppid=5506 pid=5511 auid=503 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=96 comm="xauth" exe="/usr/bin/xauth" subj=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1262118768.835:41732): avc:  denied  { write } for  pid=5511 comm="xauth" name=".xauthbDy84s" dev=dm-0 ino=5341320 scontext=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
> ----
> time->Tue Dec 29 21:32:48 2009
> type=SYSCALL msg=audit(1262118768.836:41733): arch=c000003e syscall=2 success=no exit=-13 a0=7fff99bd14d5 a1=0 a2=1b6 a3=0 items=0 ppid=5506 pid=5511 auid=503 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=96 comm="xauth" exe="/usr/bin/xauth" subj=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1262118768.836:41733): avc:  denied  { read } for  pid=5511 comm="xauth" name=".xauthbDy84s" dev=dm-0 ino=5341320 scontext=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Attachment: pgp0X6hNxy0FA.pgp
Description: PGP signature

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux