AVC:s on xauth file when doing su
Dominick Grift
domg472 at gmail.com
Tue Dec 29 22:29:51 UTC 2009
On Tue, Dec 29, 2009 at 10:32:19PM +0100, Göran Uddeborg wrote:
> Whenever I do "su" in an xterm window, I get two AVC denials. The
> command xauth is denied to read and write a file .xauthXXXXX where
> XXXXX is some random string different each time. (I encose an example
> below.)
>
> I would bugzilla this, but I'm (as often) not quite sure if it's the
> policy or if it's me. That is, if maybe this is not intended to be
> allowed? Or if there there something else I might be missing? I
> can't see any boolean I would connect to this.
>
> So, is this a bug I should report, or is it intentional?
I think this may be a bug here:
optional_policy(`
domain_trans(sshd_t, xauth_exec_t, userdomain)
')
I do not think we want sshd_t to domain transition to a user domain upon executing files with type xauth_exec_t.
Instead i would argue for a xauth_domtrans(sshd_t)
I could be wrong and i do not know about any complications.
I think this is a valid bug. consider reporting it with the AVC denials and my analys to bugzilla/selinux-policy.
>
> ----
> time->Tue Dec 29 21:32:48 2009
> type=SYSCALL msg=audit(1262118768.835:41732): arch=c000003e syscall=21 success=no exit=-13 a0=7fff99bd14d5 a1=2 a2=0 a3=7fff99bcfd10 items=0 ppid=5506 pid=5511 auid=503 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=96 comm="xauth" exe="/usr/bin/xauth" subj=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1262118768.835:41732): avc: denied { write } for pid=5511 comm="xauth" name=".xauthbDy84s" dev=dm-0 ino=5341320 scontext=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
> ----
> time->Tue Dec 29 21:32:48 2009
> type=SYSCALL msg=audit(1262118768.836:41733): arch=c000003e syscall=2 success=no exit=-13 a0=7fff99bd14d5 a1=0 a2=1b6 a3=0 items=0 ppid=5506 pid=5511 auid=503 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=96 comm="xauth" exe="/usr/bin/xauth" subj=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1262118768.836:41733): avc: denied { read } for pid=5511 comm="xauth" name=".xauthbDy84s" dev=dm-0 ino=5341320 scontext=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20091229/6caf01f4/attachment.bin
More information about the selinux
mailing list