X2Go Bug report logs - #438
x2goserver and rhel6.4 / selinux Problem

version graph

Package: x2goserver; Maintainer for x2goserver is X2Go Developers <x2go-dev@lists.x2go.org>; Source for x2goserver is src:x2goserver.

Reported by: Frank Knoben <admin@igpm.rwth-aachen.de>

Date: Thu, 27 Feb 2014 09:10:02 UTC

Severity: normal

Tags: moreinfo, not-a-bug

Found in version

Done: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

Bug is archived. No further changes may be made.

Full log

🔗 View this message in rfc822 format

X-Loop: owner@bugs.x2go.org
Subject: Bug#438: x2goserver and rhel6.4 / selinux Problem
Reply-To: Frank Knoben <admin@igpm.rwth-aachen.de>, 438@bugs.x2go.org
Resent-From: Frank Knoben <admin@igpm.rwth-aachen.de>
Original-Sender: frank@igpm.rwth-aachen.de
Resent-To: x2go-dev@lists.berlios.de
Resent-CC: X2Go Developers <x2go-dev@lists.berlios.de>
X-Loop: owner@bugs.x2go.org
Resent-Date: Fri, 28 Feb 2014 08:35:01 +0000
Resent-Message-ID: <handler.438.B438.139357633821187@bugs.x2go.org>
Resent-Sender: owner@bugs.x2go.org
X-X2Go-PR-Message: followup 438
X-X2Go-PR-Package: x2goserver
X-X2Go-PR-Keywords: moreinfo
Received: via spool by 438-submit@bugs.x2go.org id=B438.139357633821187
          (code B ref 438); Fri, 28 Feb 2014 08:35:01 +0000
Received: (at 438) by bugs.x2go.org; 28 Feb 2014 08:32:18 +0000
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,HTML_MESSAGE
	autolearn=ham version=3.3.2
X-Greylist: delayed 567 seconds by postgrey-1.34 at ymir; Fri, 28 Feb 2014 09:32:17 CET
Received: from mx-out-1.rwth-aachen.de (mx-out-1.rwth-aachen.de [])
	by ymir (Postfix) with ESMTP id 446145DB16;
	Fri, 28 Feb 2014 09:32:17 +0100 (CET)
X-IronPort-AV: E=Sophos;i="4.97,560,1389740400"; 
Received: from igpm.igpm.rwth-aachen.de ([])
  by mx-1.rz.rwth-aachen.de with ESMTP; 28 Feb 2014 09:22:51 +0100
Received: from indy5.igpm.rwth-aachen.de ([])
	by igpm.igpm.rwth-aachen.de with esmtp (Exim 4.72)
	(envelope-from <frank@igpm.rwth-aachen.de>)
	id 1WJIiY-0001Wq-JZ; Fri, 28 Feb 2014 09:22:50 +0100
Received: from france.igpm.rwth-aachen.de ([])
	by indy5.igpm.rwth-aachen.de with esmtpsa (TLSv1:AES128-SHA:128)
	(Exim 4.72)
	(envelope-from <frank@indy5.igpm.rwth-aachen.de>)
	id 1WJIiY-0007CN-Dl; Fri, 28 Feb 2014 09:22:50 +0100
Message-ID: <53104757.1030306@igpm.rwth-aachen.de>
Date: Fri, 28 Feb 2014 09:22:47 +0100
From: Frank Knoben <admin@igpm.rwth-aachen.de>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>, 
 438-quiet@bugs.x2go.org, 438@bugs.x2go.org
CC: 438-submitter@bugs.x2go.org
References: <20140227153048.Horde.6X5oZyCn2oTDQtFl7KQMCQ1@mail.das-netzwerkteam.de>
In-Reply-To: <20140227153048.Horde.6X5oZyCn2oTDQtFl7KQMCQ1@mail.das-netzwerkteam.de>
Content-Type: multipart/alternative;
Sender: frank@igpm.rwth-aachen.de
[Message part 1 (text/plain, inline)]
Hello Mike,

the problem is, that I'm not an expert on selinux too.
But I did some more tests.

Interactive Session - first login, the ~/.Xauthority file is created
and stays after logout with the permissions *system_u:object_r:default_t:s0*
I am still able to login in interactively again.

But with this permissions, I got the Cookie mismatch problem, when using 
the x2goclient.
And when I login with ssh to the computer, I got a xauth error message:
/usr/bin/xauth:  ~/.Xauthority not writable, changes will be ignored

Now I  remove all .Xauthority* files. Then a login with ssh will create 
the ~/.Xauthority file
with the *system_u:object_r:xauth_home_t:s0* permissions and the files 
stays with
these permissions after logout.

Now when I use the x2goclient, the file permissions change during the 
login process from
*system_u:object_r:xauth_home_t:s0* to *system_u:object_r:default_t:s0 
*and stay
that way after logout. The same, as it is with interactive sessions.
So I guess, everything is fine with the x2goserver software and
this is not a bug.
My problem is, that ssh is not able to overwrite the .Xauthority file, 
when it has the
default permissions of *system_u:object_r:default_t:s0* . Therefore the 
x2goclient is
not able to start a successful session and gets the Cookie mismatch error.

So I think, you can close this bugreport.

Thank you very much for your quick response and please excuse my mistake in
thinking that this was a x2goserver bug.



Frank Knoben
Institut fuer Geometrie und Praktische Mathematik
RWTH Aachen

On 02/27/2014 04:30 PM, Mike Gabriel wrote:
> Control: tag -1 moreinfo
> Hi Frank,
>> ---------------------------
>> ls -Z .Xauthority
>>  -rw-------. frank users unconfined_u:object_r:default_t:s0 .Xauthority
>> --------------------------
>> Then I do a logout. Now, when I try to connect again to the x2go 
>> server system, I get
>> the following error message on the client side and no session is 
>> started.
>> -----------------------------
>> .....
>> "Warning: Cookie mismatch in the X authentication data.
>> "
>> "Session: Terminating session at 'Thu Feb 27 09:40:05 2014'.
>> Info: Your session was closed before reaching a usable state.
>> Info: This can be due to the local X server refusing access to the 
>> client.
>> Info: Please check authorization provided by the remote X application.
>> Session: Session terminated at 'Thu Feb 27 09:40:05 2014'.
>> "
>> deleting proxy
>> nxproxy not running
>> proxy deleted
>> -----------------------------------
>> But when I change the selinux permissions to
>> ------
>> ls -Z .Xauthority
>> -rw-------. frank users unconfined_u:object_r:xauth_home_t:s0 
>> .Xauthority
> What are the SELinux permissions after you have logged out?
> Do you need that chcon command call when resuming sessions or when 
> starting sessions.
> Excuse my SELinux innocence at this point. I would like to add support 
> for SELinux, but I need to understand better why we have to tweak the 
> security context of .Xauthority for X2Go.
> Thanks+Greets,
> Mike

[Message part 2 (text/html, inline)]

Send a report that this bug log contains spam.

X2Go Developers <owner@bugs.x2go.org>. Last modified: Thu Feb 29 01:39:57 2024; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.