On Tue, Dec 29, 2009 at 10:32:19PM +0100, Göran Uddeborg wrote:
Whenever I do "su" in an xterm window, I get two AVC
denials. The
command xauth is denied to read and write a file .xauthXXXXX where
XXXXX is some random string different each time. (I encose an example
below.)
I would bugzilla this, but I'm (as often) not quite sure if it's the
policy or if it's me. That is, if maybe this is not intended to be
allowed? Or if there there something else I might be missing? I
can't see any boolean I would connect to this.
So, is this a bug I should report, or is it intentional?
I think this may be a bug here:
optional_policy(`
domain_trans(sshd_t, xauth_exec_t, userdomain)
')
I do not think we want sshd_t to domain transition to a user domain upon executing files
with type xauth_exec_t.
Instead i would argue for a xauth_domtrans(sshd_t)
I could be wrong and i do not know about any complications.
I think this is a valid bug. consider reporting it with the AVC denials and my analys to
bugzilla/selinux-policy.
----
time->Tue Dec 29 21:32:48 2009
type=SYSCALL msg=audit(1262118768.835:41732): arch=c000003e syscall=21 success=no
exit=-13 a0=7fff99bd14d5 a1=2 a2=0 a3=7fff99bcfd10 items=0 ppid=5506 pid=5511 auid=503
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=96
comm="xauth" exe="/usr/bin/xauth"
subj=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1262118768.835:41732): avc: denied { write } for pid=5511
comm="xauth" name=".xauthbDy84s" dev=dm-0 ino=5341320
scontext=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
----
time->Tue Dec 29 21:32:48 2009
type=SYSCALL msg=audit(1262118768.836:41733): arch=c000003e syscall=2 success=no exit=-13
a0=7fff99bd14d5 a1=0 a2=1b6 a3=0 items=0 ppid=5506 pid=5511 auid=503 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=96 comm="xauth"
exe="/usr/bin/xauth" subj=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023
key=(null)
type=AVC msg=audit(1262118768.836:41733): avc: denied { read } for pid=5511
comm="xauth" name=".xauthbDy84s" dev=dm-0 ino=5341320
scontext=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list