CentOS - Jan 2012 - SELinux and rsh+xauth

Hello,

I have a strange (for me) problem with these two machines : 
- Client, a CentOS-5.7 workstation ;
- Server, a CentOS-6.2 headless, up-to-date server.

From Client, I want to use xauth on Server with the help of rsh (yes, I
know, ssh and all this sort of things... another time.)

When SELinux is in permissive mode on Server, all these commands
perform as expected : 
rsh Server /usr/bin/xauth info
rsh Server /usr/bin/xauth list
xauth nextract - Client:0.0 | rsh Server /usr/bin/xauth nmerge -

But when SELinux is in enforcing mode on Server, the commands fail with
this message : 
bash: /usr/bin/xauth: Permission denied

and /var/log/audit/audit.log shows the following errors :
type=SELINUX_ERR msg=audit(1326381080.364:610): security_compute_sid:  invalid
context system_u:system_r:xauth_t:s0-s0:c0.c1023 for
scontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023
tcontext=system_u:object_r:xauth_exec_t:s0 tclass=process

type=AVC msg=audit(1326381080.364:610): avc:  denied  { write } for  pid=3487
comm="xauth" path="pipe:[21744]" dev=pipefs ino=21744
scontext=system_u:system_r:xauth_t:s0-s0:c0.c1023
tcontext=system_u:system_r:rshd_t:s0-s0:c0.c1023 tclass=fifo_file

type=AVC msg=audit(1326381080.369:611): avc:  denied  { getattr } for pid=3487
comm="xauth" path="socket:[21700]" dev=sockfs ino=21700
scontext=system_u:system_r:xauth_t:s0-s0:c0.c1023
tcontext=system_u:system_r:inetd_t:s0-s0:c0.c1023 tclass=tcp_socket

The output from audit2allow is here :
$ grep AVC /var/log/audit/audit.log | audit2allow
libsepol.context_from_record: invalid security context:
"system_u:system_r:xauth_t:s0-s0:c0.c1023"
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert
system_u:system_r:xauth_t:s0-s0:c0.c1023 to sid
(these 4 lines are repeated 2 times)

On Server, after creating a new authority file (with rsh again, while
Server is in permissive mode), I find :
$ ls -Z .Xauthority 
-rw-------. naudin biom system_u:object_r:xauth_home_t:s0 .Xauthority

I don't have this problem on a CentOS-5.7 server with the same
configuration.

Any idea (other than ssh) on how to solve it ?

Thanks,

-- 
Philippe Naudin

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/13/2012 03:33 AM, Philippe Naudin wrote:
> Hello,
> 
> I have a strange (for me) problem with these two machines : -
> Client, a CentOS-5.7 workstation ; - Server, a CentOS-6.2 headless,
> up-to-date server.
> 
>> From Client, I want to use xauth on Server with the help of rsh
>> (yes, I
> know, ssh and all this sort of things... another time.)
> 
> When SELinux is in permissive mode on Server, all these commands 
> perform as expected : rsh Server /usr/bin/xauth info rsh Server
> /usr/bin/xauth list xauth nextract - Client:0.0 | rsh Server
> /usr/bin/xauth nmerge -
> 
> But when SELinux is in enforcing mode on Server, the commands fail
> with this message : bash: /usr/bin/xauth: Permission denied
> 
> and /var/log/audit/audit.log shows the following errors : 
> type=SELINUX_ERR msg=audit(1326381080.364:610):
> security_compute_sid:  invalid context
> system_u:system_r:xauth_t:s0-s0:c0.c1023 for
> scontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:xauth_exec_t:s0 tclass=process
> 
> type=AVC msg=audit(1326381080.364:610): avc:  denied  { write } for
> pid=3487 comm="xauth" path="pipe:[21744]" dev=pipefs
ino=21744
> scontext=system_u:system_r:xauth_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:rshd_t:s0-s0:c0.c1023 tclass=fifo_file
> 
> type=AVC msg=audit(1326381080.369:611): avc:  denied  { getattr }
> for pid=3487 comm="xauth" path="socket:[21700]"
dev=sockfs
> ino=21700 scontext=system_u:system_r:xauth_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:inetd_t:s0-s0:c0.c1023
> tclass=tcp_socket
> 
> The output from audit2allow is here : $ grep AVC
> /var/log/audit/audit.log | audit2allow 
> libsepol.context_from_record: invalid security context:
> "system_u:system_r:xauth_t:s0-s0:c0.c1023" 
> libsepol.context_from_record: could not create context structure 
> libsepol.context_from_string: could not create context structure 
> libsepol.sepol_context_to_sid: could not convert
> system_u:system_r:xauth_t:s0-s0:c0.c1023 to sid (these 4 lines are
> repeated 2 times)
> 
> On Server, after creating a new authority file (with rsh again,
> while Server is in permissive mode), I find : $ ls -Z .Xauthority 
> -rw-------. naudin biom system_u:object_r:xauth_home_t:s0
> .Xauthority
> 
> I don't have this problem on a CentOS-5.7 server with the same 
> configuration.
> 
> Any idea (other than ssh) on how to solve it ?
> 
> Thanks,
> 
If you add a

policy_module(myxauth, 1.0)
gen_requires(`
type xauth_t;
role system_r;
')

role system_r types xauth_t;

It should fix the first problem, not sure the other two are important.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk8USWEACgkQrlYvE4MpobPXsACfU6I8yreIrF8/gRFcXs1L8AcU
UJoAoMsSW9HPUOKLK8uIP0e8/GVGOwLp
=yGdb
-----END PGP SIGNATURE-----