Hello All,
I set up ltsp regulary, on Centos6 machines.
This morning I have a Selinux problem that usualy does not occur:
after setting everything up, the thinclients boot, but nobody can login.
It only works after the command :
# echo 0 > /selinux/enforce
I tried this semanage command:
# semanage fcontext -a -t bin_t /usr/bin/xauth
but it makes no difference.
The message I'm now seeing in /var/log/audit/audit.log :
type=AVC msg=audit(1385112688.399:67769): avc: denied { write } for
pid=8218 comm="xauth" name="caw" dev=md1 ino=262145
scontext=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir
type=SYSCALL msg=audit(1385112688.399:67769): arch=c000003e syscall=2
success=no exit=-13 a0=7fffdecf5c60 a1=c1 a2=180 a3=8 items=0 ppid=8217
pid=8218 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500
sgid=500 fsgid=500 tty=(none) ses=9 comm="xauth"
exe="/usr/bin/xauth"
subj=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 key=(null)
Can anybody help me overcome this without disabling Selinux?
Many thanks.
Greetings, J.
--
Johan Vermeulen
IT-medewerker
Opensource Software is the future.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/25/2013 07:26 AM, Johan Vermeulen wrote:> Hello All, > > I set up ltsp regulary, on Centos6 machines. > > This morning I have a Selinux problem that usualy does not occur: after > setting everything up, the thinclients boot, but nobody can login. > > It only works after the command : > > # echo 0 > /selinux/enforce > > I tried this semanage command: > > # semanage fcontext -a -t bin_t /usr/bin/xauth > > but it makes no difference. > > The message I'm now seeing in /var/log/audit/audit.log : > > type=AVC msg=audit(1385112688.399:67769): avc: denied { write } for > pid=8218 comm="xauth" name="caw" dev=md1 ino=262145 > scontext=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 > tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir type=SYSCALL > msg=audit(1385112688.399:67769): arch=c000003e syscall=2 success=no > exit=-13 a0=7fffdecf5c60 a1=c1 a2=180 a3=8 items=0 ppid=8217 pid=8218 > auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 > fsgid=500 tty=(none) ses=9 comm="xauth" exe="/usr/bin/xauth" > subj=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 key=(null) > > Can anybody help me overcome this without disabling Selinux? > > Many thanks. Greetings, J. >The problem here is the director caw is mislabeled. restorecon -R -v /home Should fix its label. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlKTV0IACgkQrlYvE4MpobOp1gCbBms5PWIKCeOKi5sbz28i8Pf7 ZNcAniJDr6h+ncJpkuMsa9qfVRwTAHaT =67Mu -----END PGP SIGNATURE-----
> The message I'm now seeing in /var/log/audit/audit.log : > > type=AVC msg=audit(1385112688.399:67769): avc: denied { write } for > pid=8218 comm="xauth" name="caw" dev=md1 ino=262145 > scontext=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 > tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir > type=SYSCALL msg=audit(1385112688.399:67769): arch=c000003e syscall=2 > success=no exit=-13 a0=7fffdecf5c60 a1=c1 a2=180 a3=8 items=0 ppid=8217 > pid=8218 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 > sgid=500 fsgid=500 tty=(none) ses=9 comm="xauth" exe="/usr/bin/xauth" > subj=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 key=(null)You may try to add the following rules to your local policy, but do you really need this? It seems like you shouldn't have any problems with non-root accounts. module local 1.0; require { type xauth_t; type home_root_t; class dir write; } #============= xauth_t =============#!!!! The source type 'xauth_t' can write to a 'dir' of the following types: # user_home_t, xauth_tmp_t, var_lib_t, xdm_var_run_t, admin_home_t, user_home_dir_t, tmp_t, user_tmp_t, nx_server_var_lib_t, nfs_t allow xauth_t home_root_t:dir write;