Hello All,
I set up ltsp regulary, on Centos6 machines.
This morning I have a Selinux problem that usualy does not occur: after setting everything up, the thinclients boot, but nobody can login.
It only works after the command :
# echo 0 > /selinux/enforce
I tried this semanage command:
# semanage fcontext -a -t bin_t /usr/bin/xauth
but it makes no difference.
The message I'm now seeing in /var/log/audit/audit.log :
type=AVC msg=audit(1385112688.399:67769): avc: denied { write } for pid=8218 comm="xauth" name="caw" dev=md1 ino=262145 scontext=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir type=SYSCALL msg=audit(1385112688.399:67769): arch=c000003e syscall=2 success=no exit=-13 a0=7fffdecf5c60 a1=c1 a2=180 a3=8 items=0 ppid=8217 pid=8218 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=9 comm="xauth" exe="/usr/bin/xauth" subj=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 key=(null)
Can anybody help me overcome this without disabling Selinux?
Many thanks. Greetings, J.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 11/25/2013 07:26 AM, Johan Vermeulen wrote:
Hello All,
I set up ltsp regulary, on Centos6 machines.
This morning I have a Selinux problem that usualy does not occur: after setting everything up, the thinclients boot, but nobody can login.
It only works after the command :
# echo 0 > /selinux/enforce
I tried this semanage command:
# semanage fcontext -a -t bin_t /usr/bin/xauth
but it makes no difference.
The message I'm now seeing in /var/log/audit/audit.log :
type=AVC msg=audit(1385112688.399:67769): avc: denied { write } for pid=8218 comm="xauth" name="caw" dev=md1 ino=262145 scontext=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir type=SYSCALL msg=audit(1385112688.399:67769): arch=c000003e syscall=2 success=no exit=-13 a0=7fffdecf5c60 a1=c1 a2=180 a3=8 items=0 ppid=8217 pid=8218 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=9 comm="xauth" exe="/usr/bin/xauth" subj=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 key=(null)
Can anybody help me overcome this without disabling Selinux?
Many thanks. Greetings, J.
The problem here is the director caw is mislabeled.
restorecon -R -v /home
Should fix its label.
The message I'm now seeing in /var/log/audit/audit.log :
type=AVC msg=audit(1385112688.399:67769): avc: denied { write } for pid=8218 comm="xauth" name="caw" dev=md1 ino=262145 scontext=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir type=SYSCALL msg=audit(1385112688.399:67769): arch=c000003e syscall=2 success=no exit=-13 a0=7fffdecf5c60 a1=c1 a2=180 a3=8 items=0 ppid=8217 pid=8218 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=9 comm="xauth" exe="/usr/bin/xauth" subj=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 key=(null)
You may try to add the following rules to your local policy, but do you really need this? It seems like you shouldn't have any problems with non-root accounts.
module local 1.0;
require { type xauth_t; type home_root_t; class dir write; }
#============= xauth_t ============== #!!!! The source type 'xauth_t' can write to a 'dir' of the following types: # user_home_t, xauth_tmp_t, var_lib_t, xdm_var_run_t, admin_home_t, user_home_dir_t, tmp_t, user_tmp_t, nx_server_var_lib_t, nfs_t
allow xauth_t home_root_t:dir write;
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 11/25/2013 09:03 AM, ????????? ???????? wrote:
The message I'm now seeing in /var/log/audit/audit.log :
type=AVC msg=audit(1385112688.399:67769): avc: denied { write } for pid=8218 comm="xauth" name="caw" dev=md1 ino=262145 scontext=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir type=SYSCALL msg=audit(1385112688.399:67769): arch=c000003e syscall=2 success=no exit=-13 a0=7fffdecf5c60 a1=c1 a2=180 a3=8 items=0 ppid=8217 pid=8218 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=9 comm="xauth" exe="/usr/bin/xauth" subj=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 key=(null)
You may try to add the following rules to your local policy, but do you really need this? It seems like you shouldn't have any problems with non-root accounts.
module local 1.0;
require { type xauth_t; type home_root_t; class dir write; }
#============= xauth_t ============== #!!!! The source type 'xauth_t' can write to a 'dir' of the following types: # user_home_t, xauth_tmp_t, var_lib_t, xdm_var_run_t, admin_home_t, user_home_dir_t, tmp_t, user_tmp_t, nx_server_var_lib_t, nfs_t
allow xauth_t home_root_t:dir write;
_______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
No this is not correct. The problem is the parent directory should be user_home_dir_t not home_root_t.
restorecon -R -v /home
Op 25-11-13 15:10, Daniel J Walsh schreef:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 11/25/2013 09:03 AM, ????????? ???????? wrote:
The message I'm now seeing in /var/log/audit/audit.log :
type=AVC msg=audit(1385112688.399:67769): avc: denied { write } for pid=8218 comm="xauth" name="caw" dev=md1 ino=262145 scontext=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir type=SYSCALL msg=audit(1385112688.399:67769): arch=c000003e syscall=2 success=no exit=-13 a0=7fffdecf5c60 a1=c1 a2=180 a3=8 items=0 ppid=8217 pid=8218 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=9 comm="xauth" exe="/usr/bin/xauth" subj=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 key=(null)
You may try to add the following rules to your local policy, but do you really need this? It seems like you shouldn't have any problems with non-root accounts.
module local 1.0;
require { type xauth_t; type home_root_t; class dir write; }
#============= xauth_t ============== #!!!! The source type 'xauth_t' can write to a 'dir' of the following types: # user_home_t, xauth_tmp_t, var_lib_t, xdm_var_run_t, admin_home_t, user_home_dir_t, tmp_t, user_tmp_t, nx_server_var_lib_t, nfs_t
allow xauth_t home_root_t:dir write;
_______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
No this is not correct. The problem is the parent directory should be user_home_dir_t not home_root_t.
restorecon -R -v /home
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlKTWjoACgkQrlYvE4MpobPBXQCeMk2Fh5Wz09xbQLaeI/ePmbfz 6FAAn2Q5RQWELYrSpf9qsEbLCet7Uska =wZPk -----END PGP SIGNATURE----- _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Hello All,
thanks for the replies.
I did test this with other then root user.
Trying with restorecon -R -v /home
output :
...... ...... restorecon reset /home/avanbussel/data context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:user_home_t:s0 restorecon reset /home/avanbussel/.bashrc context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:user_home_t:s0 restorecon reset /home/avanbussel/.bash_logout context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:user_home_t:s0
The girls who work there will let me know soon enough if it ( doesn't ) works.
Greetings, J.
-
Daniel J Walsh -
Johan Vermeulen -
Александр Кириллов