SELinux is preventing /usr/bin/xauth "write" access on /var/lib/nxserver/home

[Peter_O]

Hi There

Just finding my way round Linux, and am using the beta for Fedora 12... As ever, if I'm not posting in the right place, apologies, can someone who knows point me in the right direction.

The following warning is being generated:

Summary:

SELinux is preventing /usr/bin/xauth "write" access on /var/lib/nxserver/home.

Detailed Description:

SELinux denied access requested by xauth. It is not expected that this access is
required by xauth and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Additional Information:

Source Context unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023
Target Context system_u:object_r:var_lib_t:s0
Target Objects /var/lib/nxserver/home [ dir ]
Source xauth
Source Path /usr/bin/xauth
Port <Unknown>
Host linuxhome.localdomain
Source RPM Packages xorg-x11-xauth-1.0.2-7.fc12
Target RPM Packages freenx-server-0.7.3-15.fc12
Policy RPM selinux-policy-3.6.32-41.fc12
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name linuxhome.localdomain
Platform Linux linuxhome.localdomain
2.6.31.5-127.fc12.i686.PAE #1 SMP Sat Nov 7
21:25:57 EST 2009 i686 athlon
Alert Count 60
First Seen Wed 11 Nov 2009 23:12:19 GMT
Last Seen Fri 13 Nov 2009 23:06:45 GMT
Local ID 5f49ad1f-8f75-4487-8288-dee1696eda55
Line Numbers

Raw Audit Messages

node=linuxhome.localdomain type=AVC msg=audit(1258153605.56:288): avc: denied { write } for pid=7498 comm="xauth" name="home" dev=dm-0 ino=221979 scontext=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir

node=linuxhome.localdomain type=SYSCALL msg=audit(1258153605.56:288): arch=40000003 syscall=5 success=no exit=-13 a0=bf83ae6b a1=c1 a2=180 a3=1 items=0 ppid=7497 pid=7498 auid=491 uid=491 gid=472 euid=491 suid=491 fsuid=491 egid=472 sgid=472 fsgid=472 tty=(none) ses=19 comm="xauth" exe="/usr/bin/xauth" subj=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 key=(null)

Several related questions.

1. Being a Linux/Fedora newbie, how do I assess any "risk" associated with the above warning? i.e. If I knew how to, can I make the changes to allow the action? I can see that there is guidance on how to set up a policy to allow this action, my question here relates to understanding any security risks.

2. I gather there is an automated bug reporting aspect to these warnings. However, I seem to need to be registered elsewhere (Bugzilla??). Is there an idiots guide/101 guide somewhere to get registered/report bugs?

I can see the above warning relates to my using Freenx - which works very well by the way. Using it form my Vista desktop to access my Linux PC.

Thanks in advance for any pointers.

Cheers
Peter

[Peter_O]

Hi There

I'm getting the following warning. As a Linux/Fedora newbie I'm not entirely clear whether I should take the steps to allow this action? Any advice appreciated.

Cheers
Peter

Summary:

SELinux is preventing /usr/bin/abrt-pyhook-helper "search" access on
/var/cache/abrt.

Detailed Description:

SELinux denied access requested by abrt-pyhook-hel. It is not expected that this
access is required by abrt-pyhook-hel and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinu...fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context system_u:system_r:sambagui_t:s0-s0:c0.c1023
Target Context system_u:object_r:abrt_var_cache_t:s0
Target Objects /var/cache/abrt [ dir ]
Source abrt-pyhook-hel
Source Path /usr/bin/abrt-pyhook-helper
Port <Unknown>
Host linuxhome.localdomain
Source RPM Packages abrt-addon-python-0.0.11-2.fc12
Target RPM Packages abrt-0.0.11-2.fc12
Policy RPM selinux-policy-3.6.32-41.fc12
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name linuxhome.localdomain
Platform Linux linuxhome.localdomain
2.6.31.5-127.fc12.i686.PAE #1 SMP Sat Nov 7
21:25:57 EST 2009 i686 athlon
Alert Count 2
First Seen Fri 13 Nov 2009 18:51:15 GMT
Last Seen Fri 13 Nov 2009 18:51:15 GMT
Local ID 4166b08e-2c56-45a4-bf0c-7cdd753b1909
Line Numbers

Raw Audit Messages

node=linuxhome.localdomain type=AVC msg=audit(1258138275.84:222): avc: denied { search } for pid=6584 comm="abrt-pyhook-hel" name="abrt" dev=dm-0 ino=65598 scontext=system_u:system_r:sambagui_t:s0-s0:c0.c1023 tcontext=system_u:object_r:abrt_var_cache_t:s0 tclass=dir

node=linuxhome.localdomain type=SYSCALL msg=audit(1258138275.84:222): arch=40000003 syscall=83 success=no exit=-13 a0=bfcb04be a1=95b50cc a2=afb990 a3=bfcb04ae items=0 ppid=6489 pid=6584 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="abrt-pyhook-hel" exe="/usr/bin/abrt-pyhook-helper" subj=system_u:system_r:sambagui_t:s0-s0:c0.c1023 key=(null)

[CSchwangler]

1. SELinux, which is the component that produced that report, is quite extensively documented. However, assessing security risks is often up to you, since its a trade-off between what you want to do/achieve and what the designers of SELinux consider a risk. Keep in mind that SELinux is aimed at the coporate customers.

2. https://bugzilla.redhat.com/ is the link to RedHat/Fedora bug reporting tool. You need an account to be able to report bugs.

[Peter_O]

H There

Just finding my way with Linux/Fedora. Any advice on whether I can/should permit this action appreciated please.

Cheers
Peter

Summary:

SELinux is preventing /usr/libexec/rtkit-daemon "setsched" access.

Detailed Description:

SELinux denied access requested by rtkit-daemon. It is not expected that this
access is required by rtkit-daemon and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinu...fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context system_u:system_r:rtkit_daemon_t:s0-s0:c0.c1023
Target Context system_u:system_r:unconfined_notrans_t:s0
Target Objects None [ process ]
Source rtkit-daemon
Source Path /usr/libexec/rtkit-daemon
Port <Unknown>
Host linuxhome.localdomain
Source RPM Packages rtkit-0.4-1.fc12
Target RPM Packages
Policy RPM selinux-policy-3.6.32-41.fc12
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name linuxhome.localdomain
Platform Linux linuxhome.localdomain
2.6.31.5-127.fc12.i686.PAE #1 SMP Sat Nov 7
21:25:57 EST 2009 i686 athlon
Alert Count 70
First Seen Fri 13 Nov 2009 11:02:06 GMT
Last Seen Sat 14 Nov 2009 08:42:14 GMT
Local ID 81215180-090f-49ec-9384-0073c6b9f9c5
Line Numbers

Raw Audit Messages

node=linuxhome.localdomain type=AVC msg=audit(1258188134.397:33): avc: denied { setsched } for pid=1927 comm="rtkit-daemon" scontext=system_u:system_r:rtkit_daemon_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_notrans_t:s0 tclass=process

node=linuxhome.localdomain type=SYSCALL msg=audit(1258188134.397:33): arch=40000003 syscall=156 success=no exit=-13 a0=7dd a1=40000000 a2=bf8a11f4 a3=bf8a11d8 items=0 ppid=1 pid=1927 auid=4294967295 uid=495 gid=484 euid=495 suid=495 fsuid=495 egid=484 sgid=484 fsgid=484 tty=(none) ses=4294967295 comm="rtkit-daemon" exe="/usr/libexec/rtkit-daemon" subj=system_u:system_r:rtkit_daemon_t:s0-s0:c0.c1023 key=(null)

[Hlingler]

Hello Peter_O:

And Welcome to the forum.

Cross posts/threads have been merged. Please do not cross post - forum policy permits only one thread at a time per topic.

FedoraForum.org Guidelines

Please do NOT start another thread for this same question.

V

[Peter_O]

Quote:

Originally Posted by Hlingler

Do NOT start another thread for this same question.

V

With respect, they are separate warnings.

Cheers
Peter

[Hlingler]

Yes, I see that now, and have amended my previous post so that it does not appear too harsh. Still: these are all essentially the same issue, and can and will be solved with the same technique - as you will soon find out, I predict... .

V

[SlowJet]

Quote:

Originally Posted by CSchwangler

1. SELinux, which is the component that produced that report, is quite extensively documented. However, assessing security risks is often up to you, since its a trade-off between what you want to do/achieve and what the designers of SELinux consider a risk. Keep in mind that SELinux is aimed at the coporate customers.

2. https://bugzilla.redhat.com/ is the link to RedHat/Fedora bug reporting tool. You need an account to be able to report bugs.

Boloney, nice double talk.

This is a new release and has not even hit the torrents.
There will be some selinux catchup to do.
However, if the program is not in the main Fedora install the selinux error should be reported or the user will need to do an audit2allow (if it is actually blocking something that is needed. I think is is ok as it is a bug)

There is no way for a newbie to assess a risk, fix the problem or know what the heck it about.
Only updates and reading up on the selinux tools may eventually allow a user to get by something that persists.
But selinux is a security system for any and all and works very good.
Security is needed by everyone, every where.


My system is very updated in F12 and all is clean for selinux.
selinux-policy-targeted-3.6.32-45.fc12.noarch
policycoreutils-2.0.74-17.fc12.i686

The newbies will just have to wait for updates or go to the selinux-list..

SJ

[jpollard]

/var/lib/nxserver/home is supposed to be your home directory - it might not be, or
(if NFS mount) it may not be read/write for your security label. (or perhaps something
in the path is not).

Most home directories are not in /var/lib... but in /home, or a mount point in /home
(something like /home/server/username).