Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora SELinux Support (http://www.linux-archive.org/fedora-selinux-support/)
-   -   /usr/bin/xauth: error in locking authority file (http://www.linux-archive.org/fedora-selinux-support/644997-usr-bin-xauth-error-locking-authority-file.html)

Bob Benites 03-15-2012 02:35 PM

/usr/bin/xauth: error in locking authority file
 
I've searched the archives about this particular
problem and not found a reference to it. While
a Google search yields some results, the solutions
provided do not solve my problem.

When we run SELinux in enforcing mode and
attempt to ssh to the host using the -X option
(yes, I've tried the -Y option) a user will see a
pause on the console and messages such as:

benites@host1's password:
Last login: Thu Mar 15 11:17:22 2012 from host0
/usr/bin/xauth: error in locking authority file /home/benites/.Xauthority
[benites@host1 ~]$ xbiff
X11 connection rejected because of wrong authentication.
Error: Can't open display: localhost:10.0
[benites@host1 ~]$

If we switch the host to permissive mode the X11
forwarding works fine.

What is most peculiar is that there are no messages in
audit log to identify why the forwarding is denied when we
run in enforcing mode.

Some post I have read suggest it has to do with the file context
on the home directory and/or .Xauthority files:

[benites@host1 ~]$ ls -lZd /home/benites /home/benites/.Xauthority
drwxr-xr-x. benites users system_u:object_r:default_t:s0 /home/benites
-rw-------. benites users unconfined_u:object_r:default_t:s0
/home/benites/.Xauthority

I've tried changing the context on both, but nothing
seems to fix the problem.

Any suggestions?

Thanks!

-- Bob
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Dominick Grift 03-15-2012 03:44 PM

/usr/bin/xauth: error in locking authority file
 
On Thu, 2012-03-15 at 11:35 -0400, Bob Benites wrote:

> [benites@host1 ~]$ ls -lZd /home/benites /home/benites/.Xauthority
> drwxr-xr-x. benites users system_u:object_r:default_t:s0 /home/benites
> -rw-------. benites users unconfined_u:object_r:default_t:s0
> /home/benites/.Xauthority

your home directory is mislabeled.

what does matchpathcon return:

matchpathcon /home/benites

does user benites have a home directory and login shell specified, what
is benites uid/gid?

grep benites /etc/passwd

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Bob Benites 03-15-2012 03:53 PM

/usr/bin/xauth: error in locking authority file
 
> On Thu, 2012-03-15 at 11:35 -0400, Bob Benites wrote:
>
>> [benites@host1 ~]$ ls -lZd /home/benites /home/benites/.Xauthority
>> drwxr-xr-x. benites users system_u:object_r:default_t:s0 * /home/benites
>> -rw-------. benites users unconfined_u:object_r:default_t:s0
>> /home/benites/.Xauthority
>
> your home directory is mislabeled.

I thought as much.

> what does matchpathcon return:
>
> matchpathcon /home/benites

/home/benites system_u:object_r:user_home_dir_t:s0

> does user benites have a home directory and login shell specified, what
> is benites uid/gid?
>
> grep benites /etc/passwd

Sorry, I knew I forgot something. We use LDAP
and Kerberos for authentication so I do not have
a entry in /etc/passwd. On another system where I
use local password authentication and is also
running RHEL 6:

[benites@host2 ~]$ grep benites /etc/passwd
benites:x:500:100:Robert K. Benites:/home/benites:/bin/bash
[benites@host2 ~]$ ls -ldZ /home/benites
drwxr-xr-x. benites users unconfined_u:object_r:user_home_dir_t:s0 /home/benites

I thought adding the context user_home_dir_t on my
home directory on the host where I'm having problems
would solve the problem -- something suggested in
one of the posts I read, but I was unsuccessful
at doing that.

-- Bob
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Dominick Grift 03-15-2012 03:58 PM

/usr/bin/xauth: error in locking authority file
 
On Thu, 2012-03-15 at 12:53 -0400, Bob Benites wrote:

> > what does matchpathcon return:
> >
> > matchpathcon /home/benites
>
> /home/benites system_u:object_r:user_home_dir_t:s0
>

Try:
restorecon -R -v /home/benites

See if it resets the security contexts on your home directory.

I am not sure how genhomedircon deals with LDAP/Kerberos for
authentication.

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux


All times are GMT. The time now is 11:56 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.