X2Go Bug report logs - #438
x2goserver and rhel6.4 / selinux Problem

Full log

Message #20 received at 438@bugs.x2go.org (full text, mbox, reply):

Received: (at 438) by bugs.x2go.org; 28 Feb 2014 08:32:18 +0000
From frank@igpm.rwth-aachen.de  Fri Feb 28 09:32:17 2014
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,HTML_MESSAGE
	autolearn=ham version=3.3.2
X-Greylist: delayed 567 seconds by postgrey-1.34 at ymir; Fri, 28 Feb 2014 09:32:17 CET
Received: from mx-out-1.rwth-aachen.de (mx-out-1.rwth-aachen.de [134.130.5.186])
	by ymir (Postfix) with ESMTP id 446145DB16;
	Fri, 28 Feb 2014 09:32:17 +0100 (CET)
X-IronPort-AV: E=Sophos;i="4.97,560,1389740400"; 
   d="scan'208,217";a="261232418"
Received: from igpm.igpm.rwth-aachen.de ([134.130.161.1])
  by mx-1.rz.rwth-aachen.de with ESMTP; 28 Feb 2014 09:22:51 +0100
Received: from indy5.igpm.rwth-aachen.de ([134.130.161.44])
	by igpm.igpm.rwth-aachen.de with esmtp (Exim 4.72)
	(envelope-from <frank@igpm.rwth-aachen.de>)
	id 1WJIiY-0001Wq-JZ; Fri, 28 Feb 2014 09:22:50 +0100
Received: from france.igpm.rwth-aachen.de ([134.130.161.63])
	by indy5.igpm.rwth-aachen.de with esmtpsa (TLSv1:AES128-SHA:128)
	(Exim 4.72)
	(envelope-from <frank@indy5.igpm.rwth-aachen.de>)
	id 1WJIiY-0007CN-Dl; Fri, 28 Feb 2014 09:22:50 +0100
Message-ID: <53104757.1030306@igpm.rwth-aachen.de>
Date: Fri, 28 Feb 2014 09:22:47 +0100
From: Frank Knoben <admin@igpm.rwth-aachen.de>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>, 
 438-quiet@bugs.x2go.org, 438@bugs.x2go.org
CC: 438-submitter@bugs.x2go.org
Subject: Re: Bug#438: x2goserver and rhel6.4 / selinux Problem
References: <20140227153048.Horde.6X5oZyCn2oTDQtFl7KQMCQ1@mail.das-netzwerkteam.de>
In-Reply-To: <20140227153048.Horde.6X5oZyCn2oTDQtFl7KQMCQ1@mail.das-netzwerkteam.de>
Content-Type: multipart/alternative;
 boundary="------------000700040604080506050907"
Sender: frank@igpm.rwth-aachen.de

[Message part 1 (text/plain, inline)]

Hello Mike,

the problem is, that I'm not an expert on selinux too.
But I did some more tests.

Interactive Session - first login, the ~/.Xauthority file is created
and stays after logout with the permissions *system_u:object_r:default_t:s0*
I am still able to login in interactively again.

But with this permissions, I got the Cookie mismatch problem, when using 
the x2goclient.
And when I login with ssh to the computer, I got a xauth error message:
/usr/bin/xauth:  ~/.Xauthority not writable, changes will be ignored

Now I  remove all .Xauthority* files. Then a login with ssh will create 
the ~/.Xauthority file
with the *system_u:object_r:xauth_home_t:s0* permissions and the files 
stays with
these permissions after logout.

Now when I use the x2goclient, the file permissions change during the 
login process from
*system_u:object_r:xauth_home_t:s0* to *system_u:object_r:default_t:s0 
*and stay
that way after logout. The same, as it is with interactive sessions.
So I guess, everything is fine with the x2goserver software and
this is not a bug.
My problem is, that ssh is not able to overwrite the .Xauthority file, 
when it has the
default permissions of *system_u:object_r:default_t:s0* . Therefore the 
x2goclient is
not able to start a successful session and gets the Cookie mismatch error.

So I think, you can close this bugreport.


Thank you very much for your quick response and please excuse my mistake in
thinking that this was a x2goserver bug.

Sincerly

Frank


Frank Knoben
Institut fuer Geometrie und Praktische Mathematik
RWTH Aachen
Aachen,
Germany





On 02/27/2014 04:30 PM, Mike Gabriel wrote:
> Control: tag -1 moreinfo
>
> Hi Frank,
>
>> ---------------------------
>>
>> ls -Z .Xauthority
>>  -rw-------. frank users unconfined_u:object_r:default_t:s0 .Xauthority
>>
>> --------------------------
>>
>> Then I do a logout. Now, when I try to connect again to the x2go 
>> server system, I get
>> the following error message on the client side and no session is 
>> started.
>>
>> -----------------------------
>> .....
>>
>> "Warning: Cookie mismatch in the X authentication data.
>> "
>>
>> "Session: Terminating session at 'Thu Feb 27 09:40:05 2014'.
>> Info: Your session was closed before reaching a usable state.
>> Info: This can be due to the local X server refusing access to the 
>> client.
>> Info: Please check authorization provided by the remote X application.
>> Session: Session terminated at 'Thu Feb 27 09:40:05 2014'.
>> "
>>
>> deleting proxy
>>
>> nxproxy not running
>>
>> proxy deleted
>>
>> -----------------------------------
>>
>> But when I change the selinux permissions to
>>
>> ------
>>
>> ls -Z .Xauthority
>>
>> -rw-------. frank users unconfined_u:object_r:xauth_home_t:s0 
>> .Xauthority
>
> What are the SELinux permissions after you have logged out?
>
> Do you need that chcon command call when resuming sessions or when 
> starting sessions.
>
> Excuse my SELinux innocence at this point. I would like to add support 
> for SELinux, but I need to understand better why we have to tweak the 
> security context of .Xauthority for X2Go.
>
> Thanks+Greets,
> Mike
>
>
>

[Message part 2 (text/html, inline)]

Send a report that this bug log contains spam.