Hi Frank,
On Fr 28 Feb 2014 09:22:47 CET, Frank Knoben wrote:
Hello Mike,
the problem is, that I'm not an expert on selinux too. But I did some more tests.
Interactive Session - first login, the ~/.Xauthority file is created and stays after logout with the permissions *system_u:object_r:default_t:s0* I am still able to login in interactively again.
But with this permissions, I got the Cookie mismatch problem, when
using the x2goclient. And when I login with ssh to the computer, I got a xauth error message: /usr/bin/xauth: ~/.Xauthority not writable, changes will be ignoredNow I remove all .Xauthority* files. Then a login with ssh will
create the ~/.Xauthority file with the *system_u:object_r:xauth_home_t:s0* permissions and the
files stays with these permissions after logout.Now when I use the x2goclient, the file permissions change during
the login process from *system_u:object_r:xauth_home_t:s0* to
*system_u:object_r:default_t:s0 *and stay that way after logout. The same, as it is with interactive sessions. So I guess, everything is fine with the x2goserver software and this is not a bug. My problem is, that ssh is not able to overwrite the .Xauthority
file, when it has the default permissions of *system_u:object_r:default_t:s0* . Therefore
the x2goclient is not able to start a successful session and gets the Cookie mismatch error.So I think, you can close this bugreport.
Nonono... I actually think there is something wrong with X2Go Server.
X2Go Client / PyHoca-GUI (another X2Go client app) should immitate
what SSH does.
As the X2Go clients call the script /usr/bin/x2gostartagent and this
script fiddles with the .Xauthority files via xauth, we should make
sure that after modifying the .Xauthority file the SELinux permissions
stay intact.
Can you please add your proposed chcon command into x2gostartagent
(near line 268, there is another position further up for shadow
sessions) after xauth has been called and see it that fixes your
troubles.
Next step: please provide me with an if clause that will test if
SELinux is in use or not, so we can call chcon only if SELinux is in
use on that system.
Thanks+Greets, Mike
--
DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148
GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xf...