Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 498530 - ck-get-x11-server-pid AVC denial during ssh gnome-session startup
Summary: ck-get-x11-server-pid AVC denial during ssh gnome-session startup
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: K12LTSP
TreeView+ depends on / blocked
 
Reported: 2009-04-30 21:30 UTC by Warren Togami
Modified: 2009-05-01 17:58 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-05-01 17:58:38 UTC


Attachments (Terms of Use)

Description Warren Togami 2009-04-30 21:30:32 UTC
ConsoleKit-x11-0.3.0-8.fc11.x86_64
selinux-policy-3.6.12-23.fc11.noarch
gnome-session-2.26.1-1.fc11.x86_64

node=localhost.localdomain type=AVC msg=audit(1241139173.797:40518): avc:  denied  { name_connect } for  pid=4085 comm="ck-get-x11-serv" dest=6001 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xserver_port_t:s0 tclass=tcp_socket

node=localhost.localdomain type=SYSCALL msg=audit(1241139173.797:40518): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=1bfec10 a2=10 a3=7fff04a4c180 items=0 ppid=4084 pid=4085 auid=4294967295 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=4294967295 comm="ck-get-x11-serv" exe="/usr/libexec/ck-get-x11-server-pid" subj=system_u:system_r:consolekit_t:s0-s0:c0.c1023 key=(null)

ssh username@server -Y DISPLAY=IPADDRESS:1 gnome-session

gnome-session runs something that runs /usr/libexec/ck-get-x11-server-pid which gets an AVC denial.  Perhaps it isn't used to the case where the X server is running remotely.  In any case this is an annoying AVC for every LTSP thin client login.

Comment 1 Daniel Walsh 2009-05-01 17:58:38 UTC
Fixed in selinux-policy-3.6.12-27.fc11.noarch


Note You need to log in before you can comment on or make changes to this bug.