AVC:s on xauth file when doing su
Dominick Grift
domg472 at gmail.com
Tue Dec 29 21:50:46 UTC 2009
On Tue, Dec 29, 2009 at 10:32:19PM +0100, Göran Uddeborg wrote:
> Whenever I do "su" in an xterm window, I get two AVC denials. The
> command xauth is denied to read and write a file .xauthXXXXX where
> XXXXX is some random string different each time. (I encose an example
> below.)
>
> I would bugzilla this, but I'm (as often) not quite sure if it's the
> policy or if it's me. That is, if maybe this is not intended to be
> allowed? Or if there there something else I might be missing? I
> can't see any boolean I would connect to this.
>
> So, is this a bug I should report, or is it intentional?
Well for starters the file is mislabeled:
[root at localhost Desktop]# matchpathcon /root/.xauthbDy84s
/root/.xauthbDy84s system_u:object_r:xauth_home_t:s0
If the file was properly labeled the access would be allowed:
[root at localhost Desktop]# sesearch --allow -s xauth_t -t xauth_home_t
Found 2 semantic av rules:
allow xauth_t xauth_home_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ;
allow xauth_t file_type : filesystem getattr ;
The following policy would make source process type xauth_t create .xauth* files in /root with type xauth_home_t:
allow xauth_t xauth_home_t:file manage_file_perms;
userdom_admin_home_dir_filetrans(xauth_t, xauth_home_t, file)
/root/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
The Question is: why did this not happen?
>
> ----
> time->Tue Dec 29 21:32:48 2009
> type=SYSCALL msg=audit(1262118768.835:41732): arch=c000003e syscall=21 success=no exit=-13 a0=7fff99bd14d5 a1=2 a2=0 a3=7fff99bcfd10 items=0 ppid=5506 pid=5511 auid=503 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=96 comm="xauth" exe="/usr/bin/xauth" subj=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1262118768.835:41732): avc: denied { write } for pid=5511 comm="xauth" name=".xauthbDy84s" dev=dm-0 ino=5341320 scontext=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
> ----
> time->Tue Dec 29 21:32:48 2009
> type=SYSCALL msg=audit(1262118768.836:41733): arch=c000003e syscall=2 success=no exit=-13 a0=7fff99bd14d5 a1=0 a2=1b6 a3=0 items=0 ppid=5506 pid=5511 auid=503 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=96 comm="xauth" exe="/usr/bin/xauth" subj=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1262118768.836:41733): avc: denied { read } for pid=5511 comm="xauth" name=".xauthbDy84s" dev=dm-0 ino=5341320 scontext=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20091229/60bf7dfe/attachment.sig>
More information about the fedora-selinux-list
mailing list