Hello,
I have a strange (for me) problem with these two machines : - Client, a CentOS-5.7 workstation ; - Server, a CentOS-6.2 headless, up-to-date server.
From Client, I want to use xauth on Server with the help of rsh (yes, I know, ssh and all this sort of things... another time.)
When SELinux is in permissive mode on Server, all these commands perform as expected : rsh Server /usr/bin/xauth info rsh Server /usr/bin/xauth list xauth nextract - Client:0.0 | rsh Server /usr/bin/xauth nmerge -
But when SELinux is in enforcing mode on Server, the commands fail with this message : bash: /usr/bin/xauth: Permission denied
and /var/log/audit/audit.log shows the following errors : type=SELINUX_ERR msg=audit(1326381080.364:610): security_compute_sid: invalid context system_u:system_r:xauth_t:s0-s0:c0.c1023 for scontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xauth_exec_t:s0 tclass=process
type=AVC msg=audit(1326381080.364:610): avc: denied { write } for pid=3487 comm="xauth" path="pipe:[21744]" dev=pipefs ino=21744 scontext=system_u:system_r:xauth_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rshd_t:s0-s0:c0.c1023 tclass=fifo_file
type=AVC msg=audit(1326381080.369:611): avc: denied { getattr } for pid=3487 comm="xauth" path="socket:[21700]" dev=sockfs ino=21700 scontext=system_u:system_r:xauth_t:s0-s0:c0.c1023 tcontext=system_u:system_r:inetd_t:s0-s0:c0.c1023 tclass=tcp_socket
The output from audit2allow is here : $ grep AVC /var/log/audit/audit.log | audit2allow libsepol.context_from_record: invalid security context: "system_u:system_r:xauth_t:s0-s0:c0.c1023" libsepol.context_from_record: could not create context structure libsepol.context_from_string: could not create context structure libsepol.sepol_context_to_sid: could not convert system_u:system_r:xauth_t:s0-s0:c0.c1023 to sid (these 4 lines are repeated 2 times)
On Server, after creating a new authority file (with rsh again, while Server is in permissive mode), I find : $ ls -Z .Xauthority -rw-------. naudin biom system_u:object_r:xauth_home_t:s0 .Xauthority
I don't have this problem on a CentOS-5.7 server with the same configuration.
Any idea (other than ssh) on how to solve it ?
Thanks,
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 01/13/2012 03:33 AM, Philippe Naudin wrote:
Hello,
I have a strange (for me) problem with these two machines : - Client, a CentOS-5.7 workstation ; - Server, a CentOS-6.2 headless, up-to-date server.
From Client, I want to use xauth on Server with the help of rsh (yes, I
know, ssh and all this sort of things... another time.)
When SELinux is in permissive mode on Server, all these commands perform as expected : rsh Server /usr/bin/xauth info rsh Server /usr/bin/xauth list xauth nextract - Client:0.0 | rsh Server /usr/bin/xauth nmerge -
But when SELinux is in enforcing mode on Server, the commands fail with this message : bash: /usr/bin/xauth: Permission denied
and /var/log/audit/audit.log shows the following errors : type=SELINUX_ERR msg=audit(1326381080.364:610): security_compute_sid: invalid context system_u:system_r:xauth_t:s0-s0:c0.c1023 for scontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xauth_exec_t:s0 tclass=process
type=AVC msg=audit(1326381080.364:610): avc: denied { write } for pid=3487 comm="xauth" path="pipe:[21744]" dev=pipefs ino=21744 scontext=system_u:system_r:xauth_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rshd_t:s0-s0:c0.c1023 tclass=fifo_file
type=AVC msg=audit(1326381080.369:611): avc: denied { getattr } for pid=3487 comm="xauth" path="socket:[21700]" dev=sockfs ino=21700 scontext=system_u:system_r:xauth_t:s0-s0:c0.c1023 tcontext=system_u:system_r:inetd_t:s0-s0:c0.c1023 tclass=tcp_socket
The output from audit2allow is here : $ grep AVC /var/log/audit/audit.log | audit2allow libsepol.context_from_record: invalid security context: "system_u:system_r:xauth_t:s0-s0:c0.c1023" libsepol.context_from_record: could not create context structure libsepol.context_from_string: could not create context structure libsepol.sepol_context_to_sid: could not convert system_u:system_r:xauth_t:s0-s0:c0.c1023 to sid (these 4 lines are repeated 2 times)
On Server, after creating a new authority file (with rsh again, while Server is in permissive mode), I find : $ ls -Z .Xauthority -rw-------. naudin biom system_u:object_r:xauth_home_t:s0 .Xauthority
I don't have this problem on a CentOS-5.7 server with the same configuration.
Any idea (other than ssh) on how to solve it ?
Thanks,
If you add a
policy_module(myxauth, 1.0) gen_requires(` type xauth_t; role system_r; ')
role system_r types xauth_t;
It should fix the first problem, not sure the other two are important.
-
Daniel J Walsh -
Philippe Naudin