SSH / permissions problem

Daniel J Walsh dwalsh at redhat.com
Wed Jul 14 12:01:42 UTC 2010 

On 07/14/2010 05:23 AM, Gabriel VLASIU wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Tue, 13 Jul 2010, Gary Stainburn wrote:
> 
>> [gary at dcomp5 ~]$ ssh -Y -C lcomp3 -l root
>> root at lcomp3's password: 
>> Last login: Tue Jul 13 16:04:20 2010 from gary.ringways.co.uk
>> [root at lcomp3 ~]# kcalc 
>> [root at lcomp3 ~]# logout
>> [gary at dcomp5 ~]$ ssh -Y -C lcomp3
>> gary at lcomp3's password: 
>> Last login: Tue Jul 13 15:55:16 2010 from gary.ringways.co.uk
>> /usr/bin/xauth:  timeout in locking authority file /home/gary/.Xauthority
>> [gary at lcomp3 ~]$ kcalc
>> X11 connection rejected because of wrong authentication.
>> kcalc: cannot connect to X server localhost:11.0
>> [gary at lcomp3 ~]$ 
> xauth fail to regenerate the .Xauthority file because of selinux. I seen 
> this on many F12/F13.
> You can test this by removing .Xauthority* files and put selinux in 
> permissive mode.
> 
> My solution was to generate a custom policy file:
> 
>>>>>>>>>>>> xauthI.log <<<<<
> type=AVC msg=audit(1275899931.248:12726): avc:  denied  { write } for  pid=2989 comm="xauth" name=".Xauthority" dev=sda6 ino=652876 scontext=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_home_t:s0 tclass=file
> type=AVC msg=audit(1275899931.252:12727): avc:  denied  { read } for  pid=2989 comm="xauth" name=".Xauthority" dev=sda6 ino=652876 scontext=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_home_t:s0 tclass=file
> type=AVC msg=audit(1275900392.342:13101): avc:  denied  { open } for  pid=3750 comm="xauth" name=".Xauthority" dev=sda6 ino=652876 scontext=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_home_t:s0 tclass=file
> type=AVC msg=audit(1275900612.472:13355): avc:  denied  { getattr } for  pid=4401 comm="xauth" path="/home/xxxx/.Xauthority" dev=sda6 ino=653013 scontext=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_home_t:s0 tclass=file
> type=AVC msg=audit(1275900681.673:13378): avc:  denied  { unlink } for  pid=4453 comm="xauth" name=".Xauthority" dev=sda6 ino=653013 scontext=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_home_t:s0 tclass=file
> <<<<<<<<<<<<<<<<<<<<<<<<<<<<
> 
> # cat xauthI.log | audit2allow -M xauthI
> # semodule -i xauthI.pp 
> (do not forget to re-enable selinux if required).
> 
> Also have a look in xauthI.te:
> 	#!!!! This avc has a dontaudit rule in the current policy
> So this is why you wont see an "avc:  denied" in /var/log/audit/audit.log.
> 
> 
> Gabriel
> 
> - -- 
> 
> // Gabriel VLASIU
> //
> // OpenGPG-KeyID      : 0xE684206E
> // OpenGPG-Fingerprint: 0C3D 9F8B 725D E243 CB3C 8428 796A DB1F E684 206E
> // OpenGPG-URL        : http://www.vlasiu.net/public.key
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (GNU/Linux)
> 
> iD8DBQFMPYIyeWrbH+aEIG4RAlb9AJ93KHE54MmafzPz7Od+Gvf1NMtJHgCfQxxa
> I7No0aEBuFT37d2m4MvY+uE=
> =axNB
> -----END PGP SIGNATURE-----




Are you using kdm to log in?  gdm does not create the .Xauthority file.

More information about the users mailing list