On Tue, Dec 29, 2009 at 10:32:19PM +0100, Göran Uddeborg wrote:
Whenever I do "su" in an xterm window, I get two AVC
denials. The
command xauth is denied to read and write a file .xauthXXXXX where
XXXXX is some random string different each time. (I encose an example
below.)
I would bugzilla this, but I'm (as often) not quite sure if it's the
policy or if it's me. That is, if maybe this is not intended to be
allowed? Or if there there something else I might be missing? I
can't see any boolean I would connect to this.
So, is this a bug I should report, or is it intentional?
Well for starters the file is mislabeled:
[root@localhost Desktop]# matchpathcon /root/.xauthbDy84s
/root/.xauthbDy84s system_u:object_r:xauth_home_t:s0
If the file was properly labeled the access would be allowed:
[root@localhost Desktop]# sesearch --allow -s xauth_t -t xauth_home_t
Found 2 semantic av rules:
allow xauth_t xauth_home_t : file { ioctl read write create getattr setattr lock append
unlink link rename open } ;
allow xauth_t file_type : filesystem getattr ;
The following policy would make source process type xauth_t create .xauth* files in /root
with type xauth_home_t:
allow xauth_t xauth_home_t:file manage_file_perms;
userdom_admin_home_dir_filetrans(xauth_t, xauth_home_t, file)
/root/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
The Question is: why did this not happen?
----
time->Tue Dec 29 21:32:48 2009
type=SYSCALL msg=audit(1262118768.835:41732): arch=c000003e syscall=21 success=no
exit=-13 a0=7fff99bd14d5 a1=2 a2=0 a3=7fff99bcfd10 items=0 ppid=5506 pid=5511 auid=503
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=96
comm="xauth" exe="/usr/bin/xauth"
subj=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1262118768.835:41732): avc: denied { write } for pid=5511
comm="xauth" name=".xauthbDy84s" dev=dm-0 ino=5341320
scontext=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
----
time->Tue Dec 29 21:32:48 2009
type=SYSCALL msg=audit(1262118768.836:41733): arch=c000003e syscall=2 success=no exit=-13
a0=7fff99bd14d5 a1=0 a2=1b6 a3=0 items=0 ppid=5506 pid=5511 auid=503 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=96 comm="xauth"
exe="/usr/bin/xauth" subj=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023
key=(null)
type=AVC msg=audit(1262118768.836:41733): avc: denied { read } for pid=5511
comm="xauth" name=".xauthbDy84s" dev=dm-0 ino=5341320
scontext=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list