On 07/14/2010 05:23 AM, Gabriel VLASIU wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Tue, 13 Jul 2010, Gary Stainburn wrote:
>
>> [gary@dcomp5 ~]$ ssh -Y -C lcomp3 -l root
>> root@lcomp3's password:
>> Last login: Tue Jul 13 16:04:20 2010 from gary.ringways.co.uk
>> [root@lcomp3 ~]# kcalc
>> [root@lcomp3 ~]# logout
>> [gary@dcomp5 ~]$ ssh -Y -C lcomp3
>> gary@lcomp3's password:
>> Last login: Tue Jul 13 15:55:16 2010 from gary.ringways.co.uk
>> /usr/bin/xauth: timeout in locking authority file /home/gary/.Xauthority
>> [gary@lcomp3 ~]$ kcalc
>> X11 connection rejected because of wrong authentication.
>> kcalc: cannot connect to X server localhost:11.0
>> [gary@lcomp3 ~]$
> xauth fail to regenerate the .Xauthority file because of selinux. I seen
> this on many F12/F13.
> You can test this by removing .Xauthority* files and put selinux in
> permissive mode.
>
> My solution was to generate a custom policy file:
>
>>>>>>>>>>>> xauthI.log <<<<<
> type=AVC msg=audit(1275899931.248:12726): avc: denied { write } for pid=2989 comm="xauth" name=".Xauthority" dev=sda6 ino=652876 scontext=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_home_t:s0 tclass=file
> type=AVC msg=audit(1275899931.252:12727): avc: denied { read } for pid=2989 comm="xauth" name=".Xauthority" dev=sda6 ino=652876 scontext=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_home_t:s0 tclass=file
> type=AVC msg=audit(1275900392.342:13101): avc: denied { open } for pid=3750 comm="xauth" name=".Xauthority" dev=sda6 ino=652876 scontext=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_home_t:s0 tclass=file
> type=AVC msg=audit(1275900612.472:13355): avc: denied { getattr } for pid=4401 comm="xauth" path="/home/xxxx/.Xauthority" dev=sda6 ino=653013 scontext=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_home_t:s0 tclass=file
> type=AVC msg=audit(1275900681.673:13378): avc: denied { unlink } for pid=4453 comm="xauth" name=".Xauthority" dev=sda6 ino=653013 scontext=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_home_t:s0 tclass=file
> <<<<<<<<<<<<<<<<<<<<<<<<<<<<
>
> # cat xauthI.log | audit2allow -M xauthI
> # semodule -i xauthI.pp
> (do not forget to re-enable selinux if required).
>
> Also have a look in xauthI.te:
> #!!!! This avc has a dontaudit rule in the current policy
> So this is why you wont see an "avc: denied" in /var/log/audit/audit.log.
>
>
> Gabriel
>
> - --
>
> // Gabriel VLASIU
> //
> // OpenGPG-KeyID : 0xE684206E
> // OpenGPG-Fingerprint: 0C3D 9F8B 725D E243 CB3C 8428 796A DB1F E684 206E
> // OpenGPG-URL : http://www.vlasiu.net/public.key
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (GNU/Linux)
>
> iD8DBQFMPYIyeWrbH+aEIG4RAlb9AJ93KHE54MmafzPz7Od+Gvf1NMtJHgCfQxxa
> I7No0aEBuFT37d2m4MvY+uE=
> =axNB
> -----END PGP SIGNATURE-----
Are you using kdm to log in? gdm does not create the .Xauthority file.
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
