Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 157315 - Userhelper - xauth denials
Summary: Userhelper - xauth denials
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-strict
Version: rawhide
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-05-10 16:10 UTC by Ivan Gyurdiev
Modified: 2007-11-30 22:11 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-05-28 02:31:13 UTC


Attachments (Terms of Use)
Does this fix the problem? (deleted)
2005-05-12 20:16 UTC, Daniel Walsh
no flags Details

Description Ivan Gyurdiev 2005-05-10 16:10:49 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.7) Gecko/20050416 Fedora/1.0.3-2 Firefox/1.0.3

Description of problem:
Running any of system-config-* always generates a storm of xauth denials:

audit(1115740820.418:0): avc:  denied  { write } for  name=root dev=dm-0 ino=81121 scontext=phantom:staff_r:staff_userhelper_t tcontext=root:object_r:sysadm_home_dir_t tclass=dir
audit(1115740820.418:0): avc:  denied  { add_name } for  name=.xauthSCdlBH scontext=phantom:staff_r:staff_userhelper_t tcontext=root:object_r:sysadm_home_dir_t tclass=dir
audit(1115740820.418:0): avc:  denied  { create } for  name=.xauthSCdlBH scontext=phantom:staff_r:staff_userhelper_t tcontext=phantom:object_r:sysadm_home_dir_t tclass=file
audit(1115740820.419:0): avc:  denied  { setattr } for  name=.xauthSCdlBH dev=dm-0 ino=81140 scontext=phantom:staff_r:staff_userhelper_t tcontext=phantom:object_r:sysadm_home_dir_t tclass=file
audit(1115740820.421:0): avc:  denied  { search } for  name=root dev=dm-0 ino=81121 scontext=phantom:staff_r:staff_xauth_t tcontext=root:object_r:sysadm_home_dir_t tclass=dir
audit(1115740820.421:0): avc:  denied  { write } for  name=root dev=dm-0 ino=81121 scontext=phantom:staff_r:staff_xauth_t tcontext=root:object_r:sysadm_home_dir_t tclass=dir
audit(1115740820.421:0): avc:  denied  { add_name } for  name=.xauthSCdlBH-c scontext=phantom:staff_r:staff_xauth_t tcontext=root:object_r:sysadm_home_dir_t tclass=dir
audit(1115740820.421:0): avc:  denied  { create } for  name=.xauthSCdlBH-c scontext=phantom:staff_r:staff_xauth_t tcontext=phantom:object_r:sysadm_home_dir_t tclass=file
audit(1115740820.421:0): avc:  denied  { link } for  name=.xauthSCdlBH-c dev=dm-0 ino=81146 scontext=phantom:staff_r:staff_xauth_t tcontext=phantom:object_r:sysadm_home_dir_t tclass=file
audit(1115740820.421:0): avc:  denied  { write } for  name=.xauthSCdlBH dev=dm-0 ino=81140 scontext=phantom:staff_r:staff_xauth_t tcontext=phantom:object_r:sysadm_home_dir_t tclass=file
audit(1115740820.421:0): avc:  denied  { read } for  name=.xauthSCdlBH dev=dm-0 ino=81140 scontext=phantom:staff_r:staff_xauth_t tcontext=phantom:object_r:sysadm_home_dir_t tclass=file
audit(1115740820.421:0): avc:  denied  { getattr } for  path=/root/.xauthSCdlBH dev=dm-0 ino=81140 scontext=phantom:staff_r:staff_xauth_t tcontext=phantom:object_r:sysadm_home_dir_t tclass=file
audit(1115740820.422:0): avc:  denied  { remove_name } for  name=.xauthSCdlBH dev=dm-0 ino=81140 scontext=phantom:staff_r:staff_xauth_t tcontext=root:object_r:sysadm_home_dir_t tclass=dir
audit(1115740820.422:0): avc:  denied  { unlink } for  name=.xauthSCdlBH dev=dm-0 ino=81140 scontext=phantom:staff_r:staff_xauth_t tcontext=phantom:object_r:sysadm_home_dir_t tclass=file
audit(1115740863.919:0): avc:  denied  { remove_name } for  name=.xauthSCdlBH dev=dm-0 ino=83295 scontext=phantom:staff_r:staff_userhelper_t tcontext=root:object_r:sysadm_home_dir_t tclass=dir
audit(1115740863.919:0): avc:  denied  { unlink } for  name=.xauthSCdlBH dev=dm-0 ino=83295 scontext=phantom:staff_r:staff_userhelper_t tcontext=phantom:object_r:sysadm_home_dir_t tclass=file

Version-Release number of selected component (if applicable):
selinux-policy-strict-1.23.15-1

How reproducible:
Always

Steps to Reproduce:
1. Run system-config-*

Additional info:

Comment 1 Daniel Walsh 2005-05-12 17:02:54 UTC
Do the apps still work?

Dan

Comment 2 Ivan Gyurdiev 2005-05-12 19:18:56 UTC
No - none of them work, which makes this bug quite important...


Comment 3 Daniel Walsh 2005-05-12 20:16:34 UTC
Created attachment 114312 [details]
Does this fix the problem?

Comment 4 Ivan Gyurdiev 2005-05-12 21:00:03 UTC
It does not - it gets rid of the denials, but it still
doesn't work. Switching to permissive mode makes the apps work.
I guess some dontaudit rules cover up bugs - there's nothing in the log.

By the way, is this safe? Should $1_xauth_t be able to read/write
root xauth files?

Comment 5 Ivan Gyurdiev 2005-05-18 17:22:35 UTC
This dontaudit hides the bug:

# for some PAM modules and for cwd
#dontaudit $1_userhelper_t { home_root_t home_type }:dir search;

This makes it work:

allow $1_userhelper_t home_root_t:dir search;
allow $1_userhelper_t $1_home_dir_t:dir search;

(probably because it wants to search for xauth files... there
is a section later that lets it read $1_xauth_home_t)




Comment 6 Daniel Walsh 2005-05-18 17:52:57 UTC
Ok added to 1.23.16-4


Note You need to log in before you can comment on or make changes to this bug.