X2Go Bug report logs -
#438
x2goserver and rhel6.4 / selinux Problem
Reported by: Frank Knoben <admin@igpm.rwth-aachen.de>
Date: Thu, 27 Feb 2014 09:10:02 UTC
Severity: normal
Tags: moreinfo, not-a-bug
Found in version 4.0.1.13
Done: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to x2go-dev@lists.berlios.de, X2Go Developers <x2go-dev@lists.berlios.de>
:
Bug#438
; Package x2goserver
.
(Thu, 27 Feb 2014 09:10:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Frank Knoben <admin@igpm.rwth-aachen.de>
:
New Bug report received and forwarded. Copy sent to X2Go Developers <x2go-dev@lists.berlios.de>
.
(Thu, 27 Feb 2014 09:10:02 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.x2go.org (full text, mbox, reply):
Package: x2goserver
Version: 4.0.1.13
Hello,
on a scientific linux 6.4 system with selinux enabled (RedHat Clone) I
have the following problem with x2goserver-4.0.1.13-2.el6.x86_64:
After connecting with x2goclient to the server system, the .Xauthority
file my home directory is created with the following selinx
permissions:
---------------------------
ls -Z .Xauthority
-rw-------. frank users unconfined_u:object_r:default_t:s0 .Xauthority
--------------------------
Then I do a logout. Now, when I try to connect again to the x2go server
system, I get
the following error message on the client side and no session is started.
-----------------------------
.....
"Warning: Cookie mismatch in the X authentication data.
"
"Session: Terminating session at 'Thu Feb 27 09:40:05 2014'.
Info: Your session was closed before reaching a usable state.
Info: This can be due to the local X server refusing access to the client.
Info: Please check authorization provided by the remote X application.
Session: Session terminated at 'Thu Feb 27 09:40:05 2014'.
"
deleting proxy
nxproxy not running
proxy deleted
-----------------------------------
But when I change the selinux permissions to
------
ls -Z .Xauthority
-rw-------. frank users unconfined_u:object_r:xauth_home_t:s0 .Xauthority
-----
with the command
/usr/bin/chcon unconfined_u:object_r:xauth_home_t:s0 .Xauthority*
there is no problem logging in to the x2goserver system the next time.
Can this be fixed in the x2goserver software?
Sincerly
Frank Knoben
Institut fuer Geometrie und Praktische Mathematik
RWTH Aachen
Aachen.
Germany
Information forwarded
to x2go-dev@lists.berlios.de, X2Go Developers <x2go-dev@lists.berlios.de>
:
Bug#438
; Package x2goserver
.
(Thu, 27 Feb 2014 15:34:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.berlios.de>
.
(Thu, 27 Feb 2014 15:34:09 GMT) (full text, mbox, link).
Message #10 received at 438@bugs.x2go.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tag -1 moreinfo
Hi Frank,
> ---------------------------
>
> ls -Z .Xauthority
> -rw-------. frank users unconfined_u:object_r:default_t:s0 .Xauthority
>
> --------------------------
>
> Then I do a logout. Now, when I try to connect again to the x2go
> server system, I get
> the following error message on the client side and no session is started.
>
> -----------------------------
> .....
>
> "Warning: Cookie mismatch in the X authentication data.
> "
>
> "Session: Terminating session at 'Thu Feb 27 09:40:05 2014'.
> Info: Your session was closed before reaching a usable state.
> Info: This can be due to the local X server refusing access to the client.
> Info: Please check authorization provided by the remote X application.
> Session: Session terminated at 'Thu Feb 27 09:40:05 2014'.
> "
>
> deleting proxy
>
> nxproxy not running
>
> proxy deleted
>
> -----------------------------------
>
> But when I change the selinux permissions to
>
> ------
>
> ls -Z .Xauthority
>
> -rw-------. frank users unconfined_u:object_r:xauth_home_t:s0 .Xauthority
What are the SELinux permissions after you have logged out?
Do you need that chcon command call when resuming sessions or when
starting sessions.
Excuse my SELinux innocence at this point. I would like to add support
for SELinux, but I need to understand better why we have to tweak the
security context of .Xauthority for X2Go.
Thanks+Greets,
Mike
--
DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148
GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
[Message part 2 (application/pgp-signature, inline)]
Added tag(s) moreinfo.
Request was from Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
to 438-submit@bugs.x2go.org
.
(Thu, 27 Feb 2014 15:34:10 GMT) (full text, mbox, link).
Message sent on
to Frank Knoben <admin@igpm.rwth-aachen.de>
:
Bug#438.
(Thu, 27 Feb 2014 15:34:10 GMT) (full text, mbox, link).
Information forwarded
to x2go-dev@lists.berlios.de, X2Go Developers <x2go-dev@lists.berlios.de>
:
Bug#438
; Package x2goserver
.
(Fri, 28 Feb 2014 08:35:01 GMT) (full text, mbox, link).
Acknowledgement sent
to Frank Knoben <admin@igpm.rwth-aachen.de>
:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.berlios.de>
.
(Fri, 28 Feb 2014 08:35:01 GMT) (full text, mbox, link).
Message #20 received at 438@bugs.x2go.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hello Mike,
the problem is, that I'm not an expert on selinux too.
But I did some more tests.
Interactive Session - first login, the ~/.Xauthority file is created
and stays after logout with the permissions *system_u:object_r:default_t:s0*
I am still able to login in interactively again.
But with this permissions, I got the Cookie mismatch problem, when using
the x2goclient.
And when I login with ssh to the computer, I got a xauth error message:
/usr/bin/xauth: ~/.Xauthority not writable, changes will be ignored
Now I remove all .Xauthority* files. Then a login with ssh will create
the ~/.Xauthority file
with the *system_u:object_r:xauth_home_t:s0* permissions and the files
stays with
these permissions after logout.
Now when I use the x2goclient, the file permissions change during the
login process from
*system_u:object_r:xauth_home_t:s0* to *system_u:object_r:default_t:s0
*and stay
that way after logout. The same, as it is with interactive sessions.
So I guess, everything is fine with the x2goserver software and
this is not a bug.
My problem is, that ssh is not able to overwrite the .Xauthority file,
when it has the
default permissions of *system_u:object_r:default_t:s0* . Therefore the
x2goclient is
not able to start a successful session and gets the Cookie mismatch error.
So I think, you can close this bugreport.
Thank you very much for your quick response and please excuse my mistake in
thinking that this was a x2goserver bug.
Sincerly
Frank
Frank Knoben
Institut fuer Geometrie und Praktische Mathematik
RWTH Aachen
Aachen,
Germany
On 02/27/2014 04:30 PM, Mike Gabriel wrote:
> Control: tag -1 moreinfo
>
> Hi Frank,
>
>> ---------------------------
>>
>> ls -Z .Xauthority
>> -rw-------. frank users unconfined_u:object_r:default_t:s0 .Xauthority
>>
>> --------------------------
>>
>> Then I do a logout. Now, when I try to connect again to the x2go
>> server system, I get
>> the following error message on the client side and no session is
>> started.
>>
>> -----------------------------
>> .....
>>
>> "Warning: Cookie mismatch in the X authentication data.
>> "
>>
>> "Session: Terminating session at 'Thu Feb 27 09:40:05 2014'.
>> Info: Your session was closed before reaching a usable state.
>> Info: This can be due to the local X server refusing access to the
>> client.
>> Info: Please check authorization provided by the remote X application.
>> Session: Session terminated at 'Thu Feb 27 09:40:05 2014'.
>> "
>>
>> deleting proxy
>>
>> nxproxy not running
>>
>> proxy deleted
>>
>> -----------------------------------
>>
>> But when I change the selinux permissions to
>>
>> ------
>>
>> ls -Z .Xauthority
>>
>> -rw-------. frank users unconfined_u:object_r:xauth_home_t:s0
>> .Xauthority
>
> What are the SELinux permissions after you have logged out?
>
> Do you need that chcon command call when resuming sessions or when
> starting sessions.
>
> Excuse my SELinux innocence at this point. I would like to add support
> for SELinux, but I need to understand better why we have to tweak the
> security context of .Xauthority for X2Go.
>
> Thanks+Greets,
> Mike
>
>
>
[Message part 2 (text/html, inline)]
Acknowledgement sent
to Frank Knoben <admin@igpm.rwth-aachen.de>
:
Extra info received and filed, but not forwarded.
(Fri, 28 Feb 2014 08:35:02 GMT) (full text, mbox, link).
Message sent on
to Frank Knoben <admin@igpm.rwth-aachen.de>
:
Bug#438.
(Fri, 28 Feb 2014 08:35:02 GMT) (full text, mbox, link).
Information forwarded
to x2go-dev@lists.berlios.de, X2Go Developers <x2go-dev@lists.berlios.de>
:
Bug#438
; Package x2goserver
.
(Fri, 28 Feb 2014 09:25:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.berlios.de>
.
(Fri, 28 Feb 2014 09:25:02 GMT) (full text, mbox, link).
Message #31 received at 438@bugs.x2go.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Frank,
On Fr 28 Feb 2014 09:22:47 CET, Frank Knoben wrote:
> Hello Mike,
>
> the problem is, that I'm not an expert on selinux too.
> But I did some more tests.
>
> Interactive Session - first login, the ~/.Xauthority file is created
> and stays after logout with the permissions *system_u:object_r:default_t:s0*
> I am still able to login in interactively again.
>
> But with this permissions, I got the Cookie mismatch problem, when
> using the x2goclient.
> And when I login with ssh to the computer, I got a xauth error message:
> /usr/bin/xauth: ~/.Xauthority not writable, changes will be ignored
>
> Now I remove all .Xauthority* files. Then a login with ssh will
> create the ~/.Xauthority file
> with the *system_u:object_r:xauth_home_t:s0* permissions and the
> files stays with
> these permissions after logout.
>
> Now when I use the x2goclient, the file permissions change during
> the login process from
> *system_u:object_r:xauth_home_t:s0* to
> *system_u:object_r:default_t:s0 *and stay
> that way after logout. The same, as it is with interactive sessions.
> So I guess, everything is fine with the x2goserver software and
> this is not a bug.
> My problem is, that ssh is not able to overwrite the .Xauthority
> file, when it has the
> default permissions of *system_u:object_r:default_t:s0* . Therefore
> the x2goclient is
> not able to start a successful session and gets the Cookie mismatch error.
>
> So I think, you can close this bugreport.
Nonono... I actually think there is something wrong with X2Go Server.
X2Go Client / PyHoca-GUI (another X2Go client app) should immitate
what SSH does.
As the X2Go clients call the script /usr/bin/x2gostartagent and this
script fiddles with the .Xauthority files via xauth, we should make
sure that after modifying the .Xauthority file the SELinux permissions
stay intact.
Can you please add your proposed chcon command into x2gostartagent
(near line 268, there is another position further up for shadow
sessions) after xauth has been called and see it that fixes your
troubles.
Next step: please provide me with an if clause that will test if
SELinux is in use or not, so we can call chcon only if SELinux is in
use on that system.
Thanks+Greets,
Mike
--
DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148
GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
[Message part 2 (application/pgp-signature, inline)]
Information forwarded
to x2go-dev@lists.berlios.de, X2Go Developers <x2go-dev@lists.berlios.de>
:
Bug#438
; Package x2goserver
.
(Fri, 28 Feb 2014 11:15:01 GMT) (full text, mbox, link).
Acknowledgement sent
to Frank Knoben <admin@igpm.rwth-aachen.de>
:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.berlios.de>
.
(Fri, 28 Feb 2014 11:15:01 GMT) (full text, mbox, link).
Message #36 received at 438@bugs.x2go.org (full text, mbox, reply):
Hi Mike,
thank you very much for the proposal, where I could fix the problem for
my system.
But I still have to think, how to make a permanent workaround in the
x2gostartagent script.
- if I use icewm windowmanager with selinux and x2goserver / x2goclient
everything is fine and the .Xauthority file has the right permissions
- if I use the kde or gnome windowmanager the .Xauthority permissions
will be modified to the wrong permissions
- when the home directory is on a nfsserver with no selinux installed
and the x2goserver system uses selinux, there is no problem at all.
Trying to fix the selinux permissions will give the error message
'Operation not supported'
So I think, it is a problem of the kde and gnome windowmanager.
For the kde windowmanager, I put a chcon statement at the end of the
/usr/bin/startkde script.
I'm still looking for a workaround for the gnome windowmanager.
Sincerly
Frank
> Nonono... I actually think there is something wrong with X2Go Server.
>
> X2Go Client / PyHoca-GUI (another X2Go client app) should immitate
> what SSH does.
>
> As the X2Go clients call the script /usr/bin/x2gostartagent and this
> script fiddles with the .Xauthority files via xauth, we should make
> sure that after modifying the .Xauthority file the SELinux permissions
> stay intact.
>
> Can you please add your proposed chcon command into x2gostartagent
> (near line 268, there is another position further up for shadow
> sessions) after xauth has been called and see it that fixes your
> troubles.
>
> Next step: please provide me with an if clause that will test if
> SELinux is in use or not, so we can call chcon only if SELinux is in
> use on that system.
>
> Thanks+Greets,
> Mike
>
Information forwarded
to x2go-dev@lists.berlios.de, X2Go Developers <x2go-dev@lists.berlios.de>
:
Bug#438
; Package x2goserver
.
(Fri, 28 Feb 2014 12:05:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.berlios.de>
.
(Fri, 28 Feb 2014 12:05:02 GMT) (full text, mbox, link).
Message #41 received at 438@bugs.x2go.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Frank,
On Fr 28 Feb 2014 12:12:43 CET, Frank Knoben wrote:
> Hi Mike,
>
> thank you very much for the proposal, where I could fix the problem
> for my system.
> But I still have to think, how to make a permanent workaround in the
> x2gostartagent script.
>
> - if I use icewm windowmanager with selinux and x2goserver /
> x2goclient everything is fine and the .Xauthority file has the right
> permissions
> - if I use the kde or gnome windowmanager the .Xauthority
> permissions will be modified to the wrong permissions
> - when the home directory is on a nfsserver with no selinux
> installed and the x2goserver system uses selinux, there is no
> problem at all.
> Trying to fix the selinux permissions will give the error message
> 'Operation not supported'
>
> So I think, it is a problem of the kde and gnome windowmanager.
> For the kde windowmanager, I put a chcon statement at the end of the
> /usr/bin/startkde script.
> I'm still looking for a workaround for the gnome windowmanager.
>
> Sincerly
>
> Frank
>
Thanks for this heavy debugging.
I will be fine with adding such magic into x2gostartagent (or
x2goruncommand). But we need to be as detailled and explicit on the
how and when.
Get back to me, once you have more insights.
Mike
--
DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148
GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
[Message part 2 (application/pgp-signature, inline)]
Information forwarded
to x2go-dev@lists.berlios.de, X2Go Developers <x2go-dev@lists.berlios.de>
:
Bug#438
; Package x2goserver
.
(Fri, 28 Feb 2014 12:20:01 GMT) (full text, mbox, link).
Acknowledgement sent
to Frank Knoben <admin@igpm.rwth-aachen.de>
:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.berlios.de>
.
(Fri, 28 Feb 2014 12:20:02 GMT) (full text, mbox, link).
Message #46 received at 438@bugs.x2go.org (full text, mbox, reply):
Hi Mike,
what about the following solution / proposal for the x2goruncommand script:
....
# run logout scripts
FIX_XAUTH=`ls -Z $HOME/.Xauthority | egrep default_t`
if test -n $FIX_AUTH
then
/usr/bin/chcon unconfined_u:object_r:xauth_home_t:s0 $HOME/.Xauthority
fi
test -r /etc/x2go/x2go_logout && . /etc/x2go/x2go_logout
...
this fixes the selinux file permission in case, it it set to
system_u:object_r:default_t:s0
It works on my system.
sincerly
Frank
On 02/28/2014 01:00 PM, Mike Gabriel wrote:
> Hi Frank,
>
> On Fr 28 Feb 2014 12:12:43 CET, Frank Knoben wrote:
>
>> Hi Mike,
>>
>> thank you very much for the proposal, where I could fix the problem
>> for my system.
>> But I still have to think, how to make a permanent workaround in the
>> x2gostartagent script.
>>
>> - if I use icewm windowmanager with selinux and x2goserver /
>> x2goclient everything is fine and the .Xauthority file has the right
>> permissions
>> - if I use the kde or gnome windowmanager the .Xauthority
>> permissions will be modified to the wrong permissions
>> - when the home directory is on a nfsserver with no selinux installed
>> and the x2goserver system uses selinux, there is no problem at all.
>> Trying to fix the selinux permissions will give the error message
>> 'Operation not supported'
>>
>> So I think, it is a problem of the kde and gnome windowmanager.
>> For the kde windowmanager, I put a chcon statement at the end of the
>> /usr/bin/startkde script.
>> I'm still looking for a workaround for the gnome windowmanager.
>>
>> Sincerly
>>
>> Frank
>>
>
> Thanks for this heavy debugging.
>
> I will be fine with adding such magic into x2gostartagent (or
> x2goruncommand). But we need to be as detailled and explicit on the
> how and when.
>
> Get back to me, once you have more insights.
>
> Mike
Information forwarded
to x2go-dev@lists.berlios.de, X2Go Developers <x2go-dev@lists.berlios.de>
:
Bug#438
; Package x2goserver
.
(Fri, 28 Feb 2014 12:25:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.berlios.de>
.
(Fri, 28 Feb 2014 12:25:02 GMT) (full text, mbox, link).
Message #51 received at 438@bugs.x2go.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Frank,
On Fr 28 Feb 2014 13:15:41 CET, Frank Knoben wrote:
> Hi Mike,
>
> what about the following solution / proposal for the x2goruncommand script:
>
>
> ....
> # run logout scripts
>
> FIX_XAUTH=`ls -Z $HOME/.Xauthority | egrep default_t`
> if test -n $FIX_AUTH
> then
> /usr/bin/chcon unconfined_u:object_r:xauth_home_t:s0 $HOME/.Xauthority
> fi
>
>
> test -r /etc/x2go/x2go_logout && . /etc/x2go/x2go_logout
>
> ...
>
> this fixes the selinux file permission in case, it it set to
> system_u:object_r:default_t:s0
> It works on my system.
>
> sincerly
>
> Frank
The position where you propose adding the fix does not seem right to
me. As the file permissions will stay "wrong" for the duration of the
session and will only be corrected after the session has ended.
Do I understand it correctly, that the file permissions need adaptions
directly after session startup (i.e. after launching the session
(destop) command)?
Greets,
Mike
--
DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148
GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
[Message part 2 (application/pgp-signature, inline)]
Information forwarded
to x2go-dev@lists.berlios.de, X2Go Developers <x2go-dev@lists.berlios.de>
:
Bug#438
; Package x2goserver
.
(Fri, 28 Feb 2014 12:35:01 GMT) (full text, mbox, link).
Acknowledgement sent
to Frank Knoben <admin@igpm.rwth-aachen.de>
:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.berlios.de>
.
(Fri, 28 Feb 2014 12:35:01 GMT) (full text, mbox, link).
Message #56 received at 438@bugs.x2go.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Mike,
the file permissions only need to be fixed for the next login.
During startup, the xauth command needs the selinux file permissions
of *unconfined_u:object_r:xauth_home_t:s0* or of
*unconfined_u:object_r:user_home_t:s0* to the .Xauthority file,
so that it can overwrite the file with the new Xauthority Information.
After that, everything works fine for the session.
At least for my test, where I did login and opened a terminal window.
Maybe I should try opening some more kde and gnome applications.
On my system, it is ok, when the permissions will be fixed at logout time.
Sincerly
Frank
On 02/28/2014 01:20 PM, Mike Gabriel wrote:
> Hi Frank,
>
> On Fr 28 Feb 2014 13:15:41 CET, Frank Knoben wrote:
>
>> Hi Mike,
>>
>> what about the following solution / proposal for the x2goruncommand
>> script:
>>
>>
>> ....
>> # run logout scripts
>>
>> FIX_XAUTH=`ls -Z $HOME/.Xauthority | egrep default_t`
>> if test -n $FIX_AUTH
>> then
>> /usr/bin/chcon unconfined_u:object_r:xauth_home_t:s0 $HOME/.Xauthority
>> fi
>>
>>
>> test -r /etc/x2go/x2go_logout && . /etc/x2go/x2go_logout
>>
>> ...
>>
>> this fixes the selinux file permission in case, it it set to
>> system_u:object_r:default_t:s0
>> It works on my system.
>>
>> sincerly
>>
>> Frank
>
> The position where you propose adding the fix does not seem right to
> me. As the file permissions will stay "wrong" for the duration of the
> session and will only be corrected after the session has ended.
>
> Do I understand it correctly, that the file permissions need adaptions
> directly after session startup (i.e. after launching the session
> (destop) command)?
>
> Greets,
> Mike
>
>
[Message part 2 (text/html, inline)]
Information forwarded
to x2go-dev@lists.berlios.de, X2Go Developers <x2go-dev@lists.berlios.de>
:
Bug#438
; Package x2goserver
.
(Fri, 28 Feb 2014 14:00:02 GMT) (full text, mbox, link).
Acknowledgement sent
to admin@igpm.rwth-aachen.de
:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.berlios.de>
.
(Fri, 28 Feb 2014 14:00:02 GMT) (full text, mbox, link).
Message #61 received at 438@bugs.x2go.org (full text, mbox, reply):
Hi Mike,
I gave some more thoughts to your remark, that the position is the wrong
one.
And you were right. On a system, where users work interactively at an
attached
screen and use x2go for accessing the system remotely, the fix won't
work at that
position. There it should be just before the .Xauthority file is
accessed. I will
see on tuesday, wether I can find that position.
Sincerly
Frank
On 28.02.2014 13:20, Mike Gabriel wrote:
> Hi Frank,
>
> On Fr 28 Feb 2014 13:15:41 CET, Frank Knoben wrote:
>
>> Hi Mike,
>>
>> what about the following solution / proposal for the x2goruncommand
>> script:
>>
>>
>> ....
>> # run logout scripts
>>
>> FIX_XAUTH=`ls -Z $HOME/.Xauthority | egrep default_t`
>> if test -n $FIX_AUTH
>> then
>> /usr/bin/chcon unconfined_u:object_r:xauth_home_t:s0 $HOME/.Xauthority
>> fi
>>
>>
>> test -r /etc/x2go/x2go_logout && . /etc/x2go/x2go_logout
>>
>> ...
>>
>> this fixes the selinux file permission in case, it it set to
>> system_u:object_r:default_t:s0
>> It works on my system.
>>
>> sincerly
>>
>> Frank
>
> The position where you propose adding the fix does not seem right to
> me. As the file permissions will stay "wrong" for the duration of the
> session and will only be corrected after the session has ended.
>
> Do I understand it correctly, that the file permissions need adaptions
> directly after session startup (i.e. after launching the session
> (destop) command)?
>
> Greets,
> Mike
>
>
Information forwarded
to x2go-dev@lists.berlios.de, X2Go Developers <x2go-dev@lists.berlios.de>
:
Bug#438
; Package x2goserver
.
(Fri, 28 Feb 2014 23:10:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Orion Poplawski <orion@cora.nwra.com>
:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.berlios.de>
.
(Fri, 28 Feb 2014 23:10:02 GMT) (full text, mbox, link).
Message #66 received at 438@bugs.x2go.org (full text, mbox, reply):
On 02/28/2014 05:15 AM, Frank Knoben wrote:
> Hi Mike,
>
> what about the following solution / proposal for the x2goruncommand script:
>
>
> ....
> # run logout scripts
>
> FIX_XAUTH=`ls -Z $HOME/.Xauthority | egrep default_t`
> if test -n $FIX_AUTH
> then
> /usr/bin/chcon unconfined_u:object_r:xauth_home_t:s0 $HOME/.Xauthority
> fi
>
I would suggest using restorecon to set the label.
--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion@nwra.com
Boulder, CO 80301 http://www.nwra.com
Information forwarded
to x2go-dev@lists.berlios.de, X2Go Developers <x2go-dev@lists.berlios.de>
:
Bug#438
; Package x2goserver
.
(Tue, 04 Mar 2014 11:05:01 GMT) (full text, mbox, link).
Acknowledgement sent
to Frank Knoben <admin@igpm.rwth-aachen.de>
:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.berlios.de>
.
(Tue, 04 Mar 2014 11:05:02 GMT) (full text, mbox, link).
Message #71 received at 438@bugs.x2go.org (full text, mbox, reply):
When I put the lines in the x2gostartagent script
after the
XAUTHORITY=${XAUTHORITY:-"$HOME/.Xauthority"}
line, the permissions will be fixed on login and not on logout.
Unfortunately, restorcon sets the permissions to
system_u:object_r:default_t:s0
and this does not work on my system.
Instead of fixing the selinux .Xauthority permissions, the file could
also be deleted on login,
if it existed. Something like:
if test -f $HOME/.Xauthority
then
rm $HOME/.Xauthority
fi
But it could also be, that my selinux system is misconfigured in some
strange way,
so that other people, who run the system, don't have this problem.
Frank
On 03/01/2014 12:07 AM, Orion Poplawski wrote:
> On 02/28/2014 05:15 AM, Frank Knoben wrote:
>> Hi Mike,
>>
>> what about the following solution / proposal for the x2goruncommand
>> script:
>>
>>
>> ....
>> # run logout scripts
>>
>> FIX_XAUTH=`ls -Z $HOME/.Xauthority | egrep default_t`
>> if test -n $FIX_AUTH
>> then
>> /usr/bin/chcon unconfined_u:object_r:xauth_home_t:s0
>> $HOME/.Xauthority
>> fi
>>
>
> I would suggest using restorecon to set the label.
>
>
Information forwarded
to x2go-dev@lists.berlios.de, X2Go Developers <x2go-dev@lists.berlios.de>
:
Bug#438
; Package x2goserver
.
(Tue, 04 Mar 2014 16:40:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Orion Poplawski <orion@cora.nwra.com>
:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.berlios.de>
.
(Tue, 04 Mar 2014 16:40:02 GMT) (full text, mbox, link).
Message #76 received at 438@bugs.x2go.org (full text, mbox, reply):
On 03/04/2014 04:02 AM, Frank Knoben wrote:
> When I put the lines in the x2gostartagent script
>
> after the
>
> XAUTHORITY=${XAUTHORITY:-"$HOME/.Xauthority"}
>
> line, the permissions will be fixed on login and not on logout.
> Unfortunately, restorcon sets the permissions to system_u:object_r:default_t:s0
> and this does not work on my system.
That's not right. What is your home directory? What does matchpathcon $HOME
return?
> Instead of fixing the selinux .Xauthority permissions, the file could also be
> deleted on login,
> if it existed. Something like:
>
>
> if test -f $HOME/.Xauthority
> then
> rm $HOME/.Xauthority
> fi
>
> But it could also be, that my selinux system is misconfigured in some strange
> way,
> so that other people, who run the system, don't have this problem.
>
>
> Frank
>
>
> On 03/01/2014 12:07 AM, Orion Poplawski wrote:
>> On 02/28/2014 05:15 AM, Frank Knoben wrote:
>>> Hi Mike,
>>>
>>> what about the following solution / proposal for the x2goruncommand script:
>>>
>>>
>>> ....
>>> # run logout scripts
>>>
>>> FIX_XAUTH=`ls -Z $HOME/.Xauthority | egrep default_t`
>>> if test -n $FIX_AUTH
>>> then
>>> /usr/bin/chcon unconfined_u:object_r:xauth_home_t:s0 $HOME/.Xauthority
>>> fi
>>>
>>
>> I would suggest using restorecon to set the label.
>>
>>
--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion@nwra.com
Boulder, CO 80301 http://www.nwra.com
Information forwarded
to x2go-dev@lists.berlios.de, X2Go Developers <x2go-dev@lists.berlios.de>
:
Bug#438
; Package x2goserver
.
(Wed, 05 Mar 2014 07:00:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Frank Knoben <admin@igpm.rwth-aachen.de>
:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.berlios.de>
.
(Wed, 05 Mar 2014 07:00:02 GMT) (full text, mbox, link).
Message #81 received at 438@bugs.x2go.org (full text, mbox, reply):
On 03/04/2014 05:36 PM, Orion Poplawski wrote:
> On 03/04/2014 04:02 AM, Frank Knoben wrote:
>> When I put the lines in the x2gostartagent script
>>
>> after the
>>
>> XAUTHORITY=${XAUTHORITY:-"$HOME/.Xauthority"}
>>
>> line, the permissions will be fixed on login and not on logout.
>> Unfortunately, restorcon sets the permissions to
>> system_u:object_r:default_t:s0
>> and this does not work on my system.
>
> That's not right. What is your home directory? What does
> matchpathcon $HOME return?
>
>
matchpathcon $HOME
returns system_u:object_r:default_t:s0
I switched the default home location from /home/user to /data/user and
changed the
permissions of /data/user with
chcon -R unconfined_u:object_r:user_home_dir_t:s0 /data/user
Information forwarded
to x2go-dev@lists.berlios.de, X2Go Developers <x2go-dev@lists.berlios.de>
:
Bug#438
; Package x2goserver
.
(Wed, 05 Mar 2014 15:15:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Orion Poplawski <orion@cora.nwra.com>
:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.berlios.de>
.
(Wed, 05 Mar 2014 15:15:02 GMT) (full text, mbox, link).
Message #86 received at 438@bugs.x2go.org (full text, mbox, reply):
On 03/04/2014 11:59 PM, Frank Knoben wrote:
> On 03/04/2014 05:36 PM, Orion Poplawski wrote:
>> On 03/04/2014 04:02 AM, Frank Knoben wrote:
>>> When I put the lines in the x2gostartagent script
>>>
>>> after the
>>>
>>> XAUTHORITY=${XAUTHORITY:-"$HOME/.Xauthority"}
>>>
>>> line, the permissions will be fixed on login and not on logout.
>>> Unfortunately, restorcon sets the permissions to
>>> system_u:object_r:default_t:s0
>>> and this does not work on my system.
>>
>> That's not right. What is your home directory? What does
>> matchpathcon $HOME return?
>>
>>
>
> matchpathcon $HOME
> returns system_u:object_r:default_t:s0
>
> I switched the default home location from /home/user to /data/user and
> changed the
> permissions of /data/user with
> chcon -R unconfined_u:object_r:user_home_dir_t:s0 /data/user
Home directories are very special in SELinux - a whole policy tree is
built based on the base home directory. Usually this is determined
automatically from entries in /etc/password, but I suspect you are using
LDAP or similar so that SELinux does not know you use /data/user for
home directories. To inform it, you should do:
semanage fcontext -a -e /home /data/user
This is from /etc/selinux/semanage.conf.
--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA/CoRA Division FAX: 303-415-9702
3380 Mitchell Lane orion@cora.nwra.com
Boulder, CO 80301 http://www.cora.nwra.com
Information forwarded
to x2go-dev@lists.berlios.de, X2Go Developers <x2go-dev@lists.berlios.de>
:
Bug#438
; Package x2goserver
.
(Wed, 05 Mar 2014 21:25:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.berlios.de>
.
(Wed, 05 Mar 2014 21:25:02 GMT) (full text, mbox, link).
Message #91 received at 438@bugs.x2go.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tag -1 not-a-bug
Hi Frank, hi Orion,
On Mi 05 Mär 2014 16:13:59 CET, Orion Poplawski wrote:
> On 03/04/2014 11:59 PM, Frank Knoben wrote:
>> On 03/04/2014 05:36 PM, Orion Poplawski wrote:
>>> On 03/04/2014 04:02 AM, Frank Knoben wrote:
>>>> When I put the lines in the x2gostartagent script
>>>>
>>>> after the
>>>>
>>>> XAUTHORITY=${XAUTHORITY:-"$HOME/.Xauthority"}
>>>>
>>>> line, the permissions will be fixed on login and not on logout.
>>>> Unfortunately, restorcon sets the permissions to
>>>> system_u:object_r:default_t:s0
>>>> and this does not work on my system.
>>>
>>> That's not right. What is your home directory? What does
>>> matchpathcon $HOME return?
>>>
>>>
>>
>> matchpathcon $HOME
>> returns system_u:object_r:default_t:s0
>>
>> I switched the default home location from /home/user to /data/user and
>> changed the
>> permissions of /data/user with
>> chcon -R unconfined_u:object_r:user_home_dir_t:s0 /data/user
>
> Home directories are very special in SELinux - a whole policy tree is
> built based on the base home directory. Usually this is determined
> automatically from entries in /etc/password, but I suspect you are using
> LDAP or similar so that SELinux does not know you use /data/user for
> home directories. To inform it, you should do:
>
> semanage fcontext -a -e /home /data/user
>
> This is from /etc/selinux/semanage.conf.
@Orion: thanks for giving support on this issue.
Do I understand it correctly, that the observed issues are not X2Go
related, but rather caused by a non-default setup?
Mike
--
DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148
GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
[Message part 2 (application/pgp-signature, inline)]
Added tag(s) not-a-bug.
Request was from Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
to 438-submit@bugs.x2go.org
.
(Wed, 05 Mar 2014 21:25:02 GMT) (full text, mbox, link).
Information forwarded
to x2go-dev@lists.berlios.de, X2Go Developers <x2go-dev@lists.berlios.de>
:
Bug#438
; Package x2goserver
.
(Wed, 05 Mar 2014 21:40:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Orion Poplawski <orion@cora.nwra.com>
:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.berlios.de>
.
(Wed, 05 Mar 2014 21:40:02 GMT) (full text, mbox, link).
Message #98 received at 438@bugs.x2go.org (full text, mbox, reply):
On 03/05/2014 02:20 PM, Mike Gabriel wrote:
> Control: tag -1 not-a-bug
>
> Hi Frank, hi Orion,
>
> On Mi 05 Mär 2014 16:13:59 CET, Orion Poplawski wrote:
>> Home directories are very special in SELinux - a whole policy tree is
>> built based on the base home directory. Usually this is determined
>> automatically from entries in /etc/password, but I suspect you are using
>> LDAP or similar so that SELinux does not know you use /data/user for
>> home directories. To inform it, you should do:
>>
>> semanage fcontext -a -e /home /data/user
>>
>> This is from /etc/selinux/semanage.conf.
>
> @Orion: thanks for giving support on this issue.
>
> Do I understand it correctly, that the observed issues are not X2Go related,
> but rather caused by a non-default setup?
>
> Mike
That's certainly my take.
--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion@nwra.com
Boulder, CO 80301 http://www.nwra.com
Information forwarded
to x2go-dev@lists.berlios.de, X2Go Developers <x2go-dev@lists.berlios.de>
:
Bug#438
; Package x2goserver
.
(Thu, 06 Mar 2014 07:20:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Frank Knoben <admin@igpm.rwth-aachen.de>
:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.berlios.de>
.
(Thu, 06 Mar 2014 07:20:02 GMT) (full text, mbox, link).
Message #103 received at 438@bugs.x2go.org (full text, mbox, reply):
Hi Orion, hi Mike,
thank you very much for your support and your patience.
Sincerly
Frank
Information forwarded
to x2go-dev@lists.berlios.de, X2Go Developers <x2go-dev@lists.berlios.de>
:
Bug#438
; Package x2goserver
.
(Thu, 06 Mar 2014 07:45:01 GMT) (full text, mbox, link).
Acknowledgement sent
to Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.berlios.de>
.
(Thu, 06 Mar 2014 07:45:02 GMT) (full text, mbox, link).
Message #108 received at 438@bugs.x2go.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: close -1
Hi Frank,
On Do 06 Mär 2014 08:16:14 CET, Frank Knoben wrote:
> Hi Orion, hi Mike,
>
> thank you very much for your support and your patience.
>
> Sincerly
>
> Frank
You are welcome!
Mike
--
DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148
GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
[Message part 2 (application/pgp-signature, inline)]
Marked Bug as done
Request was from Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
to 438-submit@bugs.x2go.org
.
(Thu, 06 Mar 2014 07:45:02 GMT) (full text, mbox, link).
Notification sent
to Frank Knoben <admin@igpm.rwth-aachen.de>
:
Bug acknowledged by developer.
(Thu, 06 Mar 2014 07:45:02 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.x2go.org>
to internal_control@bugs.x2go.org
.
(Fri, 04 Apr 2014 05:24:01 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
X2Go Developers <owner@bugs.x2go.org>.
Last modified:
Wed Oct 30 12:56:27 2024;
Machine Name:
ymir.das-netzwerkteam.de
X2Go Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.