Hi Frank,
On Fr 28 Feb 2014 09:22:47 CET, Frank Knoben wrote:
Nonono... I actually think there is something wrong with X2Go Server.
X2Go Client / PyHoca-GUI (another X2Go client app) should immitate
what SSH does.
As the X2Go clients call the script /usr/bin/x2gostartagent and this
script fiddles with the .Xauthority files via xauth, we should make
sure that after modifying the .Xauthority file the SELinux permissions
stay intact.
Can you please add your proposed chcon command into x2gostartagent
(near line 268, there is another position further up for shadow
sessions) after xauth has been called and see it that fixes your
troubles.
Next step: please provide me with an if clause that will test if
SELinux is in use or not, so we can call chcon only if SELinux is in
use on that system.
Thanks+Greets, Mike
--
DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148
GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xf...
Hi Mike,
thank you very much for the proposal, where I could fix the problem for my system. But I still have to think, how to make a permanent workaround in the x2gostartagent script.
- if I use icewm windowmanager with selinux and x2goserver / x2goclient everything is fine and the .Xauthority file has the right permissions
- if I use the kde or gnome windowmanager the .Xauthority permissions will be modified to the wrong permissions
- when the home directory is on a nfsserver with no selinux installed and the x2goserver system uses selinux, there is no problem at all. Trying to fix the selinux permissions will give the error message 'Operation not supported'
So I think, it is a problem of the kde and gnome windowmanager. For the kde windowmanager, I put a chcon statement at the end of the /usr/bin/startkde script. I'm still looking for a workaround for the gnome windowmanager.
Sincerly
Frank
Hi Frank,
On Fr 28 Feb 2014 12:12:43 CET, Frank Knoben wrote:
Thanks for this heavy debugging.
I will be fine with adding such magic into x2gostartagent (or
x2goruncommand). But we need to be as detailled and explicit on the
how and when.
Get back to me, once you have more insights.
Mike
DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148
GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xf...
Hi Mike,
what about the following solution / proposal for the x2goruncommand script:
.... # run logout scripts
FIX_XAUTH=ls -Z $HOME/.Xauthority | egrep default_t
if test -n $FIX_AUTH
then
/usr/bin/chcon unconfined_u:object_r:xauth_home_t:s0 $HOME/.Xauthority
fi
test -r /etc/x2go/x2go_logout && . /etc/x2go/x2go_logout
...
this fixes the selinux file permission in case, it it set to system_u:object_r:default_t:s0 It works on my system.
sincerly
Frank
On 02/28/2014 01:00 PM, Mike Gabriel wrote:
Hi Frank,
On Fr 28 Feb 2014 13:15:41 CET, Frank Knoben wrote:
The position where you propose adding the fix does not seem right to
me. As the file permissions will stay "wrong" for the duration of the
session and will only be corrected after the session has ended.
Do I understand it correctly, that the file permissions need adaptions
directly after session startup (i.e. after launching the session
(destop) command)?
Greets, Mike
--
DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148
GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xf...
Hi Mike,
the file permissions only need to be fixed for the next login. During startup, the xauth command needs the selinux file permissions of *unconfined_u:object_r:xauth_home_t:s0* or of *unconfined_u:object_r:user_home_t:s0* to the .Xauthority file, so that it can overwrite the file with the new Xauthority Information. After that, everything works fine for the session. At least for my test, where I did login and opened a terminal window. Maybe I should try opening some more kde and gnome applications. On my system, it is ok, when the permissions will be fixed at logout time.
Sincerly
Frank
On 02/28/2014 01:20 PM, Mike Gabriel wrote:
Hi Mike,
I gave some more thoughts to your remark, that the position is the wrong one. And you were right. On a system, where users work interactively at an attached screen and use x2go for accessing the system remotely, the fix won't work at that position. There it should be just before the .Xauthority file is accessed. I will see on tuesday, wether I can find that position.
Sincerly
Frank
On 28.02.2014 13:20, Mike Gabriel wrote:
On 02/28/2014 05:15 AM, Frank Knoben wrote:
I would suggest using restorecon to set the label.
-- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane orion@nwra.com Boulder, CO 80301 http://www.nwra.com
When I put the lines in the x2gostartagent script
after the
XAUTHORITY=${XAUTHORITY:-"$HOME/.Xauthority"}
line, the permissions will be fixed on login and not on logout. Unfortunately, restorcon sets the permissions to system_u:object_r:default_t:s0 and this does not work on my system. Instead of fixing the selinux .Xauthority permissions, the file could also be deleted on login, if it existed. Something like:
if test -f $HOME/.Xauthority then rm $HOME/.Xauthority fi
But it could also be, that my selinux system is misconfigured in some strange way, so that other people, who run the system, don't have this problem.
Frank
On 03/01/2014 12:07 AM, Orion Poplawski wrote:
On 03/04/2014 04:02 AM, Frank Knoben wrote:
That's not right. What is your home directory? What does matchpathcon $HOME return?
-- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane orion@nwra.com Boulder, CO 80301 http://www.nwra.com
On 03/04/2014 05:36 PM, Orion Poplawski wrote:
matchpathcon $HOME returns system_u:object_r:default_t:s0
I switched the default home location from /home/user to /data/user and changed the permissions of /data/user with chcon -R unconfined_u:object_r:user_home_dir_t:s0 /data/user
On 03/04/2014 11:59 PM, Frank Knoben wrote:
Home directories are very special in SELinux - a whole policy tree is built based on the base home directory. Usually this is determined automatically from entries in /etc/password, but I suspect you are using LDAP or similar so that SELinux does not know you use /data/user for home directories. To inform it, you should do:
semanage fcontext -a -e /home /data/user
This is from /etc/selinux/semanage.conf.
-- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA/CoRA Division FAX: 303-415-9702 3380 Mitchell Lane orion@cora.nwra.com Boulder, CO 80301 http://www.cora.nwra.com
Control: tag -1 not-a-bug
Hi Frank, hi Orion,
On Mi 05 Mär 2014 16:13:59 CET, Orion Poplawski wrote:
@Orion: thanks for giving support on this issue.
Do I understand it correctly, that the observed issues are not X2Go
related, but rather caused by a non-default setup?
Mike
DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148
GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xf...
On 03/05/2014 02:20 PM, Mike Gabriel wrote:
That's certainly my take.
-- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane orion@nwra.com Boulder, CO 80301 http://www.nwra.com
Hi Orion, hi Mike,
thank you very much for your support and your patience.
Sincerly
Frank
Control: close -1
Hi Frank,
On Do 06 Mär 2014 08:16:14 CET, Frank Knoben wrote:
You are welcome!
Mike
DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148
GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xf...
-
Frank Knoben -
Mike Gabriel -
Orion Poplawski