Opened 9 years ago

Closed 7 years ago

#107 closed defect (fixed)

SELinux prevents xauth from accessing per session auth files in user's home directory

Reported by: Antoine Martin Owned by: Antoine Martin
Priority: major Milestone: 1.0
Component: Server Keywords:
Cc:

Description

If selinux is enforcing, xauth just fails...
So we have a workaround in place where we pass the global XAUTHORITY to the server and it uses that if /selinux/enforcing==1

Not ideal. I can't see any easy way of being able to create new xauth files with selinux enabled. PITA

See also: NX bug

Change History (2)

comment:1 Changed 7 years ago by Antoine Martin

Owner: changed from Antoine Martin to Antoine Martin
Status: newaccepted

And now on Fedora 17 we have a different problem, which is that xauth wants to access /dev/urandom (for whatever reason) and SELinux generates an alert..

Here is an example of the command line we run:

/usr/bin/xauth add :61 MIT-MAGIC-COOKIE-1 a274142fd0250a21b6245496ca740a68

Upstream bug file here

This is the SELinux module generated to workaround the issue:

module xauth_urandom 1.0;

require {
	type xauth_t;
	type urandom_device_t;
	class chr_file read;
}

allow xauth_t urandom_device_t:chr_file read;

comment:2 Changed 7 years ago by Antoine Martin

Resolution: fixed
Status: acceptedclosed

Fixed in selinux-policy-3.10.0-149.fc17

Note: See TracTickets for help on using tickets.