From unknown Sat Jun 06 14:16:45 2026 X-Loop: owner@bugs.x2go.org Subject: Bug#438: x2goserver and rhel6.4 / selinux Problem Reply-To: Mike Gabriel , 438@bugs.x2go.org Resent-From: Mike Gabriel Resent-To: x2go-dev@lists.berlios.de Resent-CC: X2Go Developers X-Loop: owner@bugs.x2go.org Resent-Date: Fri, 28 Feb 2014 09:25:02 +0000 Resent-Message-ID: Resent-Sender: owner@bugs.x2go.org X-X2Go-PR-Message: followup 438 X-X2Go-PR-Package: x2goserver X-X2Go-PR-Keywords: moreinfo Received: via spool by 438-submit@bugs.x2go.org id=B438.1393579488369 (code B ref 438); Fri, 28 Feb 2014 09:25:02 +0000 Received: (at 438) by bugs.x2go.org; 28 Feb 2014 09:24:48 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,URIBL_BLOCKED autolearn=ham version=3.3.2 Received: from freya.das-netzwerkteam.de (freya.das-netzwerkteam.de [88.198.48.199]) by ymir (Postfix) with ESMTPS id 8AA105DB16 for <438@bugs.x2go.org>; Fri, 28 Feb 2014 10:24:47 +0100 (CET) Received: from grimnir.das-netzwerkteam.de (grimnir.das-netzwerkteam.de [78.46.204.98]) by freya.das-netzwerkteam.de (Postfix) with ESMTPS id 2519D1EC49; Fri, 28 Feb 2014 10:24:47 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id 078CB3BF19; Fri, 28 Feb 2014 10:24:47 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at grimnir.das-netzwerkteam.de Received: from grimnir.das-netzwerkteam.de ([127.0.0.1]) by localhost (grimnir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1C15Trb2izK1; Fri, 28 Feb 2014 10:24:46 +0100 (CET) Received: from grimnir.das-netzwerkteam.de (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTPSA id CD9BE3B9D5; Fri, 28 Feb 2014 10:24:46 +0100 (CET) Received: from nocatv2.tng.de (nocatv2.tng.de [213.178.75.58]) by mail.das-netzwerkteam.de (Horde Framework) with HTTP; Fri, 28 Feb 2014 09:24:46 +0000 Date: Fri, 28 Feb 2014 09:24:46 +0000 Message-ID: <20140228092446.Horde.K_uiZqFdCvK-Jq-K84gzwg6@mail.das-netzwerkteam.de> From: Mike Gabriel To: Frank Knoben Cc: 438@bugs.x2go.org References: <20140227153048.Horde.6X5oZyCn2oTDQtFl7KQMCQ1@mail.das-netzwerkteam.de> <53104757.1030306@igpm.rwth-aachen.de> In-Reply-To: <53104757.1030306@igpm.rwth-aachen.de> User-Agent: Internet Messaging Program (IMP) H5 (6.1.4) Accept-Language: en,de Organization: DAS-NETZWERKTEAM X-Originating-IP: 213.178.75.58 X-Remote-Browser: Mozilla/5.0 (X11; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0 Iceweasel/26.0 Content-Type: multipart/signed; boundary="=_1YsruPhz3iYmUJ7kc8FAuA1"; protocol="application/pgp-signature"; micalg=pgp-sha1 MIME-Version: 1.0 This message is in MIME format and has been PGP signed. --=_1YsruPhz3iYmUJ7kc8FAuA1 Content-Type: text/plain; charset=utf-8; format=flowed; DelSp=Yes Content-Disposition: inline Hi Frank, On Fr 28 Feb 2014 09:22:47 CET, Frank Knoben wrote: > Hello Mike, > > the problem is, that I'm not an expert on selinux too. > But I did some more tests. > > Interactive Session - first login, the ~/.Xauthority file is created > and stays after logout with the permissions *system_u:object_r:default_t:s0* > I am still able to login in interactively again. > > But with this permissions, I got the Cookie mismatch problem, when > using the x2goclient. > And when I login with ssh to the computer, I got a xauth error message: > /usr/bin/xauth: ~/.Xauthority not writable, changes will be ignored > > Now I remove all .Xauthority* files. Then a login with ssh will > create the ~/.Xauthority file > with the *system_u:object_r:xauth_home_t:s0* permissions and the > files stays with > these permissions after logout. > > Now when I use the x2goclient, the file permissions change during > the login process from > *system_u:object_r:xauth_home_t:s0* to > *system_u:object_r:default_t:s0 *and stay > that way after logout. The same, as it is with interactive sessions. > So I guess, everything is fine with the x2goserver software and > this is not a bug. > My problem is, that ssh is not able to overwrite the .Xauthority > file, when it has the > default permissions of *system_u:object_r:default_t:s0* . Therefore > the x2goclient is > not able to start a successful session and gets the Cookie mismatch error. > > So I think, you can close this bugreport. Nonono... I actually think there is something wrong with X2Go Server. X2Go Client / PyHoca-GUI (another X2Go client app) should immitate what SSH does. As the X2Go clients call the script /usr/bin/x2gostartagent and this script fiddles with the .Xauthority files via xauth, we should make sure that after modifying the .Xauthority file the SELinux permissions stay intact. Can you please add your proposed chcon command into x2gostartagent (near line 268, there is another position further up for shadow sessions) after xauth has been called and see it that fixes your troubles. Next step: please provide me with an if clause that will test if SELinux is in use or not, so we can call chcon only if SELinux is in use on that system. Thanks+Greets, Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb --=_1YsruPhz3iYmUJ7kc8FAuA1 Content-Type: application/pgp-signature Content-Description: Digitale PGP-Signatur Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAABAgAGBQJTEFXeAAoJEJr0azAldxsx3aMQAIQb7VPrIBPMaFWtzwjkm93k 9NvY6ci21fWeoC77h8KefPKlXCFOeS9UK/jF8kv5yuYcYx5WioH9n0mv/qrr+NNS NDFensY3gQnPx2LDe8PA+ujLjbnRnVdKyHenkdfZT2xJ+cyWZiVs+u4Ia0YE0SlW GtGzLWBALgFVdMr4Z0YkpDNkhyujpdXxkn6qHXebVUrqLJNgE19xF4mSPhGhynyI bmP0fox+fEWZpVLAkvJJ5FPLo152pBMPASJfYnKCNU21AIowEXO5Jyra+S61wrSi J+8egBx/LvP8Z51Kx1fH8JKgjlVtYBSP2rg1XUgh7XM7hQYAq7Zex9YPTGKpDp2g bELXswg7PlIwMCJkQJc8Cs3Yae1Fl8B8fCc/mmghoMmQbk9jvBQqZv/GctSNzcEA VAdbLEutwB79Axpv/Ao3h44DpnHvAfDcV0OJTsv3AxBAgXZwiF5cSeuRawHjyksI FOq8VtFoIAgKU/e7pkuRMouCTXdApMQ1dDn0rrlEpB8sjpDCNIBBf+Q7/NLNZcSj U+UmDho5GgA1jDyIT4PLErJQdLuOIw6Ww3S35WOkAiyB+X9enMkorAOPhMfHYmHm nScM/42rEigbwhhK9iyXvZpPNQvsgCx1QyqlIot5kcd/+woFVSc2M5MZWSct9RV6 ndT43xQZinkSdHnfHuiO =p2oz -----END PGP SIGNATURE----- --=_1YsruPhz3iYmUJ7kc8FAuA1--