[CentOS] ltsp & Selinux

Mon Nov 25 15:47:09 UTC 2013
Johan Vermeulen <jvermeulen at cawdekempen.be>

Op 25-11-13 15:10, Daniel J Walsh schreef:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 11/25/2013 09:03 AM, ????????? ???????? wrote:
>>> The message I'm now seeing in /var/log/audit/audit.log :
>>>
>>> type=AVC msg=audit(1385112688.399:67769): avc:  denied  { write } for
>>> pid=8218 comm="xauth" name="caw" dev=md1 ino=262145
>>> scontext=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023
>>> tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir type=SYSCALL
>>> msg=audit(1385112688.399:67769): arch=c000003e syscall=2 success=no
>>> exit=-13 a0=7fffdecf5c60 a1=c1 a2=180 a3=8 items=0 ppid=8217 pid=8218
>>> auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500
>>> fsgid=500 tty=(none) ses=9 comm="xauth" exe="/usr/bin/xauth"
>>> subj=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 key=(null)
>> You may try to add the following rules to your local policy, but do you
>> really need this? It seems like you shouldn't have any problems with
>> non-root accounts.
>>
>> module local 1.0;
>>
>> require { type xauth_t; type home_root_t; class dir write; }
>>
>> #============= xauth_t ============== #!!!! The source type 'xauth_t' can
>> write to a 'dir' of the following types: # user_home_t, xauth_tmp_t,
>> var_lib_t, xdm_var_run_t, admin_home_t, user_home_dir_t, tmp_t, user_tmp_t,
>> nx_server_var_lib_t, nfs_t
>>
>> allow xauth_t home_root_t:dir write;
>>
>>
>> _______________________________________________ CentOS mailing list
>> CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos
>>
> No this is not correct.  The problem is the parent directory should be
> user_home_dir_t not home_root_t.
>
> restorecon -R -v /home
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.15 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iEYEARECAAYFAlKTWjoACgkQrlYvE4MpobPBXQCeMk2Fh5Wz09xbQLaeI/ePmbfz
> 6FAAn2Q5RQWELYrSpf9qsEbLCet7Uska
> =wZPk
> -----END PGP SIGNATURE-----
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos

Hello All,

thanks for the replies.

I did test this with other then root user.

Trying with restorecon -R -v /home

output :

......
......
restorecon reset /home/avanbussel/data context 
unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:user_home_t:s0
restorecon reset /home/avanbussel/.bashrc context 
unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:user_home_t:s0
restorecon reset /home/avanbussel/.bash_logout context 
unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:user_home_t:s0

The girls who work there will let me know soon enough if it ( doesn't ) 
works.

Greetings, J.