Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 119204

Summary: ssh-agent and utemper want to write to $HOME/.xsession-errors, which is prohibited by policy
Product: [Fedora] Fedora Reporter: Aleksey Nogin <aleksey>
Component: xinitrcAssignee: X/OpenGL Maintenance List <xgl-maint>
Status: CLOSED CURRENTRELEASE QA Contact: Ben Levenson <benl>
Severity: high Docs Contact:
Priority: medium    
Version: rawhideCC: dwalsh, than, twaugh
Target Milestone: ---Keywords: SELinux
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-10-22 14:35:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 119503    
Bug Blocks:    

Description Aleksey Nogin 2004-03-26 11:28:53 UTC 
If the session is _not_ Gnome, kdm's /usr/share/config/kdm/Xsession
redirects the stdout and stderr to $HOME/.xsession-errors, which has
the default type user_home_t (or staff_home_t). The current policy
(1.9-15) would not allow such a file to be written to be certain
programs. In particular, 

- ssh-agent is unable to write to it, which causes it to start using
up all the CPU time

- utemper is unable to write to it, so it fails to list the user's
session in utmp.

I believe that the best solution woukd be to change 
/usr/share/config/kdm/Xsession to use a file in /tmp, not
$HOME/.xsession-errors. Alternatively, the policy could be changed to
mark the $HOME/.xsession-errors specially. Finally, a possible
solution would be to grant utemper and ssh-agent write/append
permissions to arbitrary user files, but I am not sure this is a good
idea.
Comment 1 Daniel Walsh 2004-03-31 03:32:49 UTC 
I am changing  policy for xdm to dontaudit on writes to the $1_home_t,
which should cause the xsession-errors file to be created on /tmp.

Dan
Comment 2 Aleksey Nogin 2004-03-31 03:42:29 UTC 
Will the xauth stuff still work? Just making sure.
Comment 3 Daniel Walsh 2004-03-31 04:01:26 UTC 
Well that actually looks like a bug also.  Seems xdm is not
transitioning to xauth_t, to allow it to write to the home dir.  So I
am  trying to fix that also.  If the transition happens properly
xauth_t can write to the home dir and xdm will fail forcing it to
write to /tmp dir.  
I believe that is the way it should work.

Dan
Comment 4 Aleksey Nogin 2004-03-31 05:36:23 UTC 
What about utemper? I am getting 

audit(1080711300.469:0): avc:  denied  { getattr } for  pid=27008
exe=/usr/sbin/utempter path=/tmp/xses-aleksey.OU2533 dev=hda2
ino=343507 scontext=aleksey:staff_r:utempter_t
tcontext=aleksey:object_r:staff_tmp_t tclass=file

and I was getting similar write denied messages until I added an allow
for them.
Comment 5 Than Ngo 2004-04-01 12:00:31 UTC 
kdebase just uses Xsession file in xinitrc. It assign it to correct
component
Comment 6 Aleksey Nogin 2004-04-01 12:29:12 UTC 
*** Bug 119506 has been marked as a duplicate of this bug. ***
Comment 7 Tim Waugh 2004-04-21 13:13:01 UTC 
It would be nice if this could go in the release notes (the fact that
your .xsession-errors in now in /tmp).
Comment 8 Mike A. Harris 2004-10-05 11:39:57 UTC 
Please try Fedora Core 3 test 2 or later, as this problem may
be fixed now.  If the problem persists, please update the status.

Thanks in advance.