From unknown Fri Mar 29 10:25:30 2024 X-Loop: owner@bugs.x2go.org Subject: Bug#438: x2goserver and rhel6.4 / selinux Problem Reply-To: Frank Knoben , 438@bugs.x2go.org Resent-From: Frank Knoben Original-Sender: frank@igpm.rwth-aachen.de Resent-To: x2go-dev@lists.berlios.de Resent-CC: X2Go Developers X-Loop: owner@bugs.x2go.org Resent-Date: Fri, 28 Feb 2014 12:35:01 +0000 Resent-Message-ID: Resent-Sender: owner@bugs.x2go.org X-X2Go-PR-Message: followup 438 X-X2Go-PR-Package: x2goserver X-X2Go-PR-Keywords: moreinfo Received: via spool by 438-submit@bugs.x2go.org id=B438.139359063823669 (code B ref 438); Fri, 28 Feb 2014 12:35:01 +0000 Received: (at 438) by bugs.x2go.org; 28 Feb 2014 12:30:38 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,HTML_MESSAGE autolearn=ham version=3.3.2 Received: from mx-out-2.rwth-aachen.de (mx-out-2.rwth-aachen.de [134.130.5.187]) by ymir (Postfix) with ESMTP id 4A87D5DB16 for <438@bugs.x2go.org>; Fri, 28 Feb 2014 13:30:37 +0100 (CET) X-IronPort-AV: E=Sophos;i="4.97,561,1389740400"; d="scan'208,217";a="173281075" Received: from igpm.igpm.rwth-aachen.de ([134.130.161.1]) by mx-2.rz.rwth-aachen.de with ESMTP; 28 Feb 2014 13:30:37 +0100 Received: from indy5.igpm.rwth-aachen.de ([134.130.161.44]) by igpm.igpm.rwth-aachen.de with esmtp (Exim 4.72) (envelope-from ) id 1WJMaL-0002BY-27; Fri, 28 Feb 2014 13:30:37 +0100 Received: from france.igpm.rwth-aachen.de ([134.130.161.63]) by indy5.igpm.rwth-aachen.de with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.72) (envelope-from ) id 1WJMaK-000D5h-SO; Fri, 28 Feb 2014 13:30:36 +0100 Message-ID: <5310816C.1090202@igpm.rwth-aachen.de> Date: Fri, 28 Feb 2014 13:30:36 +0100 From: Frank Knoben User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0 MIME-Version: 1.0 To: Mike Gabriel CC: 438@bugs.x2go.org References: <20140227153048.Horde.6X5oZyCn2oTDQtFl7KQMCQ1@mail.das-netzwerkteam.de> <53104757.1030306@igpm.rwth-aachen.de> <20140228092446.Horde.K_uiZqFdCvK-Jq-K84gzwg6@mail.das-netzwerkteam.de> <53106F2B.4000507@igpm.rwth-aachen.de> <20140228120038.Horde.dl33bCBmwwHgj0u6OwNIwA1@mail.das-netzwerkteam.de> <53107DED.6080206@igpm.rwth-aachen.de> <20140228122051.Horde.GZ8FBPgZh6U4xr_vcWozeg4@mail.das-netzwerkteam.de> In-Reply-To: <20140228122051.Horde.GZ8FBPgZh6U4xr_vcWozeg4@mail.das-netzwerkteam.de> Content-Type: multipart/alternative; boundary="------------020600030107050604060604" Sender: frank@igpm.rwth-aachen.de This is a multi-part message in MIME format. --------------020600030107050604060604 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Hi Mike, the file permissions only need to be fixed for the next login. During startup, the xauth command needs the selinux file permissions of *unconfined_u:object_r:xauth_home_t:s0* or of *unconfined_u:object_r:user_home_t:s0* to the .Xauthority file, so that it can overwrite the file with the new Xauthority Information. After that, everything works fine for the session. At least for my test, where I did login and opened a terminal window. Maybe I should try opening some more kde and gnome applications. On my system, it is ok, when the permissions will be fixed at logout time. Sincerly Frank On 02/28/2014 01:20 PM, Mike Gabriel wrote: > Hi Frank, > > On Fr 28 Feb 2014 13:15:41 CET, Frank Knoben wrote: > >> Hi Mike, >> >> what about the following solution / proposal for the x2goruncommand >> script: >> >> >> .... >> # run logout scripts >> >> FIX_XAUTH=`ls -Z $HOME/.Xauthority | egrep default_t` >> if test -n $FIX_AUTH >> then >> /usr/bin/chcon unconfined_u:object_r:xauth_home_t:s0 $HOME/.Xauthority >> fi >> >> >> test -r /etc/x2go/x2go_logout && . /etc/x2go/x2go_logout >> >> ... >> >> this fixes the selinux file permission in case, it it set to >> system_u:object_r:default_t:s0 >> It works on my system. >> >> sincerly >> >> Frank > > The position where you propose adding the fix does not seem right to > me. As the file permissions will stay "wrong" for the duration of the > session and will only be corrected after the session has ended. > > Do I understand it correctly, that the file permissions need adaptions > directly after session startup (i.e. after launching the session > (destop) command)? > > Greets, > Mike > > --------------020600030107050604060604 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 8bit
Hi Mike,

the file permissions only need to be fixed for the next login.
During startup, the xauth command needs the selinux file permissions
of unconfined_u:object_r:xauth_home_t:s0 or of unconfined_u:object_r:user_home_t:s0 to the .Xauthority file,
so that it can overwrite the file with the new Xauthority Information.
After that, everything works fine for the session.
At least for my test, where I did login and opened a terminal window.
Maybe I should try opening some more kde and gnome applications.
On my system, it is ok, when the permissions will be fixed at logout time.

Sincerly

Frank


On 02/28/2014 01:20 PM, Mike Gabriel wrote:
Hi Frank,

On  Fr 28 Feb 2014 13:15:41 CET, Frank Knoben wrote:

Hi Mike,

what about the following solution / proposal for the x2goruncommand script:


....
# run logout scripts

FIX_XAUTH=`ls -Z $HOME/.Xauthority | egrep default_t`
if test -n $FIX_AUTH
then
  /usr/bin/chcon unconfined_u:object_r:xauth_home_t:s0 $HOME/.Xauthority
fi


test -r /etc/x2go/x2go_logout && . /etc/x2go/x2go_logout

...

this fixes the selinux file permission in case, it it set to system_u:object_r:default_t:s0
It works on my system.

sincerly

Frank

The position where you propose adding the fix does not seem right to me. As the file permissions will stay "wrong" for the duration of the session and will only be corrected after the session has ended.

Do I understand it correctly, that the file permissions need adaptions directly after session startup (i.e. after launching the session (destop) command)?

Greets,
Mike



--------------020600030107050604060604--