FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor


 
 
LinkBack Thread Tools
 
Old 07-11-2008, 03:43 PM
"Carl D. Roth"
 
Default ./xauth?

On Fri, 11 Jul 2008 08:14:21 -0700, Dan Thurman wrote:

> I am not sure what this is, and /.xauth does not exist, but here is the
> log:
> ================================
> Summary:
>
> SELinux is preventing su (initrc_su_t) "execute" to ./xauth
> (xauth_exec_t).
>
> Detailed Description:
>

I had that happen on one of my systems too. It was starting a service in
init.d that changed userid's via 'su'. Since it was a headless
application (i.e. daemon) I chose to ignore the errors as follows:

gen_require(`
type initrc_su_t;
type sshd_t;
type xauth_exec_t;
')

dontaudit initrc_su_t sshd_t:key { search };
dontaudit initrc_su_t xauth_exec_t:file { execute };

As you can see, the 'su' session also tried to grovel around for SSH keys.

C

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 07-11-2008, 03:57 PM
Paul Howarth
 
Default ./xauth?

Carl D. Roth wrote:

On Fri, 11 Jul 2008 08:14:21 -0700, Dan Thurman wrote:


I am not sure what this is, and /.xauth does not exist, but here is the
log:
================================
Summary:

SELinux is preventing su (initrc_su_t) "execute" to ./xauth
(xauth_exec_t).

Detailed Description:



I had that happen on one of my systems too. It was starting a service in
init.d that changed userid's via 'su'. Since it was a headless
application (i.e. daemon) I chose to ignore the errors as follows:


gen_require(`
type initrc_su_t;
type sshd_t;
type xauth_exec_t;
')

dontaudit initrc_su_t sshd_t:key { search };
dontaudit initrc_su_t xauth_exec_t:file { execute };

As you can see, the 'su' session also tried to grovel around for SSH keys.


Does it behave better if you use "runuser" instead of "su"?

Paul.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 07-11-2008, 04:00 PM
Tomas Mraz
 
Default ./xauth?

On Fri, 2008-07-11 at 15:43 +0000, Carl D. Roth wrote:
> On Fri, 11 Jul 2008 08:14:21 -0700, Dan Thurman wrote:
>
> > I am not sure what this is, and /.xauth does not exist, but here is the
> > log:
> > ================================
> > Summary:
> >
> > SELinux is preventing su (initrc_su_t) "execute" to ./xauth
> > (xauth_exec_t).
> >
> > Detailed Description:
> >
>
> I had that happen on one of my systems too. It was starting a service in
> init.d that changed userid's via 'su'. Since it was a headless
> application (i.e. daemon) I chose to ignore the errors as follows:
>
> gen_require(`
> type initrc_su_t;
> type sshd_t;
> type xauth_exec_t;
> ')
>
> dontaudit initrc_su_t sshd_t:key { search };
> dontaudit initrc_su_t xauth_exec_t:file { execute };
>
> As you can see, the 'su' session also tried to grovel around for SSH keys.

If there is a service which runs su in init scripts it should be
reported as bug on the package which owns the service. 'runuser' should
be used instead of 'su' in init scripts.
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 07-12-2008, 06:49 PM
"Carl D. Roth"
 
Default ./xauth?

On Fri, 11 Jul 2008 16:57:57 +0100, Paul Howarth wrote:

> Carl D. Roth wrote:
>> On Fri, 11 Jul 2008 08:14:21 -0700, Dan Thurman wrote:
>>
>>> I am not sure what this is, and /.xauth does not exist, but here is
>>> the log:
>>> ================================
>>> Summary:
>>>
>>> SELinux is preventing su (initrc_su_t) "execute" to ./xauth
>>> (xauth_exec_t).
>>>
>>> Detailed Description:
>>>
>>>
>> I had that happen on one of my systems too. It was starting a service
>> in init.d that changed userid's via 'su'. Since it was a headless
>> application (i.e. daemon) I chose to ignore the errors as follows:
>>
>> gen_require(`
>> type initrc_su_t;
>> type sshd_t;
>> type xauth_exec_t;
>> ')
>>
>> dontaudit initrc_su_t sshd_t:key { search }; dontaudit initrc_su_t
>> xauth_exec_t:file { execute };
>>
>> As you can see, the 'su' session also tried to grovel around for SSH
>> keys.
>
> Does it behave better if you use "runuser" instead of "su"?
>
> Paul.

That fixed it, thanks.

C

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 12:08 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org