On Tue, Dec 29, 2009 at 10:32:19PM +0100, Göran Uddeborg wrote:
Whenever I do "su" in an xterm window, I get two AVC denials. The command xauth is denied to read and write a file .xauthXXXXX where XXXXX is some random string different each time. (I encose an example below.)
I would bugzilla this, but I'm (as often) not quite sure if it's the policy or if it's me. That is, if maybe this is not intended to be allowed? Or if there there something else I might be missing? I can't see any boolean I would connect to this.
So, is this a bug I should report, or is it intentional?
Well for starters the file is mislabeled:
[root@localhost Desktop]# matchpathcon /root/.xauthbDy84s /root/.xauthbDy84s system_u:object_r:xauth_home_t:s0
If the file was properly labeled the access would be allowed:
[root@localhost Desktop]# sesearch --allow -s xauth_t -t xauth_home_t Found 2 semantic av rules: allow xauth_t xauth_home_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; allow xauth_t file_type : filesystem getattr ;
The following policy would make source process type xauth_t create .xauth* files in /root with type xauth_home_t:
allow xauth_t xauth_home_t:file manage_file_perms; userdom_admin_home_dir_filetrans(xauth_t, xauth_home_t, file) /root/.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
The Question is: why did this not happen?
time->Tue Dec 29 21:32:48 2009 type=SYSCALL msg=audit(1262118768.835:41732): arch=c000003e syscall=21 success=no exit=-13 a0=7fff99bd14d5 a1=2 a2=0 a3=7fff99bcfd10 items=0 ppid=5506 pid=5511 auid=503 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=96 comm="xauth" exe="/usr/bin/xauth" subj=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1262118768.835:41732): avc: denied { write } for pid=5511 comm="xauth" name=".xauthbDy84s" dev=dm-0 ino=5341320 scontext=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
time->Tue Dec 29 21:32:48 2009 type=SYSCALL msg=audit(1262118768.836:41733): arch=c000003e syscall=2 success=no exit=-13 a0=7fff99bd14d5 a1=0 a2=1b6 a3=0 items=0 ppid=5506 pid=5511 auid=503 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=96 comm="xauth" exe="/usr/bin/xauth" subj=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1262118768.836:41733): avc: denied { read } for pid=5511 comm="xauth" name=".xauthbDy84s" dev=dm-0 ino=5341320 scontext=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list