I've searched the archives about this particular problem and not found a reference to it. While a Google search yields some results, the solutions provided do not solve my problem.
When we run SELinux in enforcing mode and attempt to ssh to the host using the -X option (yes, I've tried the -Y option) a user will see a pause on the console and messages such as:
benites@host1's password: Last login: Thu Mar 15 11:17:22 2012 from host0 /usr/bin/xauth: error in locking authority file /home/benites/.Xauthority [benites@host1 ~]$ xbiff X11 connection rejected because of wrong authentication. Error: Can't open display: localhost:10.0 [benites@host1 ~]$
If we switch the host to permissive mode the X11 forwarding works fine.
What is most peculiar is that there are no messages in audit log to identify why the forwarding is denied when we run in enforcing mode.
Some post I have read suggest it has to do with the file context on the home directory and/or .Xauthority files:
[benites@host1 ~]$ ls -lZd /home/benites /home/benites/.Xauthority drwxr-xr-x. benites users system_u:object_r:default_t:s0 /home/benites -rw-------. benites users unconfined_u:object_r:default_t:s0 /home/benites/.Xauthority
I've tried changing the context on both, but nothing seems to fix the problem.
Any suggestions?
Thanks!
-- Bob
On Thu, 2012-03-15 at 11:35 -0400, Bob Benites wrote:
[benites@host1 ~]$ ls -lZd /home/benites /home/benites/.Xauthority drwxr-xr-x. benites users system_u:object_r:default_t:s0 /home/benites -rw-------. benites users unconfined_u:object_r:default_t:s0 /home/benites/.Xauthority
your home directory is mislabeled.
what does matchpathcon return:
matchpathcon /home/benites
does user benites have a home directory and login shell specified, what is benites uid/gid?
grep benites /etc/passwd
On Thu, 2012-03-15 at 11:35 -0400, Bob Benites wrote:
[benites@host1 ~]$ ls -lZd /home/benites /home/benites/.Xauthority drwxr-xr-x. benites users system_u:object_r:default_t:s0 /home/benites -rw-------. benites users unconfined_u:object_r:default_t:s0 /home/benites/.Xauthority
your home directory is mislabeled.
I thought as much.
what does matchpathcon return:
matchpathcon /home/benites
/home/benites system_u:object_r:user_home_dir_t:s0
does user benites have a home directory and login shell specified, what is benites uid/gid?
grep benites /etc/passwd
Sorry, I knew I forgot something. We use LDAP and Kerberos for authentication so I do not have a entry in /etc/passwd. On another system where I use local password authentication and is also running RHEL 6:
[benites@host2 ~]$ grep benites /etc/passwd benites:x:500:100:Robert K. Benites:/home/benites:/bin/bash [benites@host2 ~]$ ls -ldZ /home/benites drwxr-xr-x. benites users unconfined_u:object_r:user_home_dir_t:s0 /home/benites
I thought adding the context user_home_dir_t on my home directory on the host where I'm having problems would solve the problem -- something suggested in one of the posts I read, but I was unsuccessful at doing that.
-- Bob
On Thu, 2012-03-15 at 12:53 -0400, Bob Benites wrote:
what does matchpathcon return:
matchpathcon /home/benites
/home/benites system_u:object_r:user_home_dir_t:s0
Try: restorecon -R -v /home/benites
See if it resets the security contexts on your home directory.
I am not sure how genhomedircon deals with LDAP/Kerberos for authentication.
selinux@lists.fedoraproject.org
-
Bob Benites -
Dominick Grift