[CentOS] ltsp & Selinux

Mon Nov 25 14:03:36 UTC 2013
Александр Кириллов <nevis2us at infoline.su>

> The message I'm now seeing in /var/log/audit/audit.log :
> 
> type=AVC msg=audit(1385112688.399:67769): avc:  denied  { write } for
> pid=8218 comm="xauth" name="caw" dev=md1 ino=262145
> scontext=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023
> tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir
> type=SYSCALL msg=audit(1385112688.399:67769): arch=c000003e syscall=2
> success=no exit=-13 a0=7fffdecf5c60 a1=c1 a2=180 a3=8 items=0 ppid=8217
> pid=8218 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500
> sgid=500 fsgid=500 tty=(none) ses=9 comm="xauth" exe="/usr/bin/xauth"
> subj=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 key=(null)

You may try to add the following rules to your local policy, but do you 
really need this? It seems like you shouldn't have any problems with 
non-root accounts.

module local 1.0;

require {
	type xauth_t;
	type home_root_t;
	class dir write;
}

#============= xauth_t ==============
#!!!! The source type 'xauth_t' can write to a 'dir' of the following 
types:
# user_home_t, xauth_tmp_t, var_lib_t, xdm_var_run_t, admin_home_t, 
user_home_dir_t, tmp_t, user_tmp_t, nx_server_var_lib_t, nfs_t

allow xauth_t home_root_t:dir write;