From frank@igpm.rwth-aachen.de Fri Feb 28 09:32:17 2014 Received: (at 438) by bugs.x2go.org; 28 Feb 2014 08:32:18 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,HTML_MESSAGE autolearn=ham version=3.3.2 X-Greylist: delayed 567 seconds by postgrey-1.34 at ymir; Fri, 28 Feb 2014 09:32:17 CET Received: from mx-out-1.rwth-aachen.de (mx-out-1.rwth-aachen.de [134.130.5.186]) by ymir (Postfix) with ESMTP id 446145DB16; Fri, 28 Feb 2014 09:32:17 +0100 (CET) X-IronPort-AV: E=Sophos;i="4.97,560,1389740400"; d="scan'208,217";a="261232418" Received: from igpm.igpm.rwth-aachen.de ([134.130.161.1]) by mx-1.rz.rwth-aachen.de with ESMTP; 28 Feb 2014 09:22:51 +0100 Received: from indy5.igpm.rwth-aachen.de ([134.130.161.44]) by igpm.igpm.rwth-aachen.de with esmtp (Exim 4.72) (envelope-from ) id 1WJIiY-0001Wq-JZ; Fri, 28 Feb 2014 09:22:50 +0100 Received: from france.igpm.rwth-aachen.de ([134.130.161.63]) by indy5.igpm.rwth-aachen.de with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.72) (envelope-from ) id 1WJIiY-0007CN-Dl; Fri, 28 Feb 2014 09:22:50 +0100 Message-ID: <53104757.1030306@igpm.rwth-aachen.de> Date: Fri, 28 Feb 2014 09:22:47 +0100 From: Frank Knoben User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0 MIME-Version: 1.0 To: Mike Gabriel , 438-quiet@bugs.x2go.org, 438@bugs.x2go.org CC: 438-submitter@bugs.x2go.org Subject: Re: Bug#438: x2goserver and rhel6.4 / selinux Problem References: <20140227153048.Horde.6X5oZyCn2oTDQtFl7KQMCQ1@mail.das-netzwerkteam.de> In-Reply-To: <20140227153048.Horde.6X5oZyCn2oTDQtFl7KQMCQ1@mail.das-netzwerkteam.de> Content-Type: multipart/alternative; boundary="------------000700040604080506050907" Sender: frank@igpm.rwth-aachen.de This is a multi-part message in MIME format. --------------000700040604080506050907 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Hello Mike, the problem is, that I'm not an expert on selinux too. But I did some more tests. Interactive Session - first login, the ~/.Xauthority file is created and stays after logout with the permissions *system_u:object_r:default_t:s0* I am still able to login in interactively again. But with this permissions, I got the Cookie mismatch problem, when using the x2goclient. And when I login with ssh to the computer, I got a xauth error message: /usr/bin/xauth: ~/.Xauthority not writable, changes will be ignored Now I remove all .Xauthority* files. Then a login with ssh will create the ~/.Xauthority file with the *system_u:object_r:xauth_home_t:s0* permissions and the files stays with these permissions after logout. Now when I use the x2goclient, the file permissions change during the login process from *system_u:object_r:xauth_home_t:s0* to *system_u:object_r:default_t:s0 *and stay that way after logout. The same, as it is with interactive sessions. So I guess, everything is fine with the x2goserver software and this is not a bug. My problem is, that ssh is not able to overwrite the .Xauthority file, when it has the default permissions of *system_u:object_r:default_t:s0* . Therefore the x2goclient is not able to start a successful session and gets the Cookie mismatch error. So I think, you can close this bugreport. Thank you very much for your quick response and please excuse my mistake in thinking that this was a x2goserver bug. Sincerly Frank Frank Knoben Institut fuer Geometrie und Praktische Mathematik RWTH Aachen Aachen, Germany On 02/27/2014 04:30 PM, Mike Gabriel wrote: > Control: tag -1 moreinfo > > Hi Frank, > >> --------------------------- >> >> ls -Z .Xauthority >> -rw-------. frank users unconfined_u:object_r:default_t:s0 .Xauthority >> >> -------------------------- >> >> Then I do a logout. Now, when I try to connect again to the x2go >> server system, I get >> the following error message on the client side and no session is >> started. >> >> ----------------------------- >> ..... >> >> "Warning: Cookie mismatch in the X authentication data. >> " >> >> "Session: Terminating session at 'Thu Feb 27 09:40:05 2014'. >> Info: Your session was closed before reaching a usable state. >> Info: This can be due to the local X server refusing access to the >> client. >> Info: Please check authorization provided by the remote X application. >> Session: Session terminated at 'Thu Feb 27 09:40:05 2014'. >> " >> >> deleting proxy >> >> nxproxy not running >> >> proxy deleted >> >> ----------------------------------- >> >> But when I change the selinux permissions to >> >> ------ >> >> ls -Z .Xauthority >> >> -rw-------. frank users unconfined_u:object_r:xauth_home_t:s0 >> .Xauthority > > What are the SELinux permissions after you have logged out? > > Do you need that chcon command call when resuming sessions or when > starting sessions. > > Excuse my SELinux innocence at this point. I would like to add support > for SELinux, but I need to understand better why we have to tweak the > security context of .Xauthority for X2Go. > > Thanks+Greets, > Mike > > > --------------000700040604080506050907 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 8bit
Hello Mike,

the problem is, that I'm not an expert on selinux too.
But I did some more tests.

Interactive Session - first login, the ~/.Xauthority file is created
and stays after logout with the permissions  system_u:object_r:default_t:s0
I am still able to login in interactively again.

But with this permissions, I got the Cookie mismatch problem, when using the x2goclient.
And when I login with ssh to the computer, I got a xauth error message:
/usr/bin/xauth:  ~/.Xauthority not writable, changes will be ignored

Now I  remove all .Xauthority* files. Then a login with ssh will create the ~/.Xauthority file
with the system_u:object_r:xauth_home_t:s0 permissions and the files stays with
these permissions after logout.

Now when I use the x2goclient, the file permissions change during the login process from
system_u:object_r:xauth_home_t:s0 to system_u:object_r:default_t:s0  and stay
that way after logout. The same, as it is with interactive sessions.
So I guess, everything is fine with the x2goserver software and
this is not a bug.
My problem is, that ssh is not able to overwrite the .Xauthority file, when it has the
default permissions of system_u:object_r:default_t:s0 .  Therefore the x2goclient is
not able to start a successful session and gets the Cookie mismatch error.

So I think, you can close this bugreport.


Thank you very much for your quick response and please excuse my mistake in
thinking that this was a x2goserver bug.

Sincerly

Frank


Frank Knoben
Institut fuer Geometrie und Praktische Mathematik
RWTH Aachen
Aachen,
Germany





On 02/27/2014 04:30 PM, Mike Gabriel wrote:
Control: tag -1 moreinfo

Hi Frank,

---------------------------

ls -Z .Xauthority
 -rw-------. frank users unconfined_u:object_r:default_t:s0 .Xauthority

--------------------------

Then I do a logout. Now, when I try to connect again to the x2go server system, I get
the following error message on the client side and no session is started.

-----------------------------
.....

"Warning: Cookie mismatch in the X authentication data.
"

"Session: Terminating session at 'Thu Feb 27 09:40:05 2014'.
Info: Your session was closed before reaching a usable state.
Info: This can be due to the local X server refusing access to the client.
Info: Please check authorization provided by the remote X application.
Session: Session terminated at 'Thu Feb 27 09:40:05 2014'.
"

deleting proxy

nxproxy not running

proxy deleted

-----------------------------------

But when I change the selinux permissions to

------

ls -Z .Xauthority

-rw-------. frank users unconfined_u:object_r:xauth_home_t:s0 .Xauthority

What are the SELinux permissions after you have logged out?

Do you need that chcon command call when resuming sessions or when starting sessions.

Excuse my SELinux innocence at this point. I would like to add support for SELinux, but I need to understand better why we have to tweak the security context of .Xauthority for X2Go.

Thanks+Greets,
Mike




--------------000700040604080506050907--