headers
Mr Dash Four | 25 May 03:48

ImportError: No module named selinux

I am trying to compile and build version 3.10.0-86 of the selinux policy, but during compilation I get the following:

/usr/bin/semodule_expand tmp/test.lnk tmp/policy.bin
/usr/bin/sepolgen-ifgen -p tmp/policy.bin -i policy -o tmp/output
Traceback (most recent call last):
  File "/usr/bin/sepolgen-ifgen", line 34, in <module>
    import selinux
ImportError: No module named selinux
make: *** [validate] Error 1
error: Bad exit status from /var/tmp/rpm-tmp.bEqivE (%install)

RPM build errors:
    Bad exit status from /var/tmp/rpm-tmp.bEqivE (%install)

What could be the cause for this?
--
selinux mailing list
selinux <at> lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
Permalink | Reply | 2 comments |
headers
Daniel J Walsh | 24 May 18:14
Picon
Favicon
Gravatar

Re: Policy version mismatch


On 05/24/2012 11:05 AM, Moray Henderson wrote:
> I've got a policy module which works fine when I build and load it on
> CentOS 5.  When I build and try to load it on CentOS 6 it complains:
> 
> SELinux:  Could not downgrade policy file 
> /etc/selinux/targeted/policy/policy.24, searching for an older version. 
> SELinux:  Could not open policy file <= 
> /etc/selinux/targeted/policy/policy.24:  No such file or directory
> 
> There's nothing in the policy source specifying version so I would have 
> expected the module automatically to build for the correct policy version 
> when built on CentOS 6.  Any pointers where to look or what to do next?
> 
> 
> Moray. "To err is human; to purr, feline."
> 
> 
> 
> 
> 
> -- selinux mailing list selinux <at> lists.fedoraproject.org 
> https://admin.fedoraproject.org/mailman/listinfo/selinux

Read

http://danwalsh.livejournal.com/49762.html
Permalink | Reply | 2 comments |
headers
Moray Henderson | 24 May 17:05

Policy version mismatch

I've got a policy module which works fine when I build and load it on CentOS
5.  When I build and try to load it on CentOS 6 it complains:

SELinux:  Could not downgrade policy file
/etc/selinux/targeted/policy/policy.24, searching for an older version.
SELinux:  Could not open policy file <=
/etc/selinux/targeted/policy/policy.24:  No such file or directory

There's nothing in the policy source specifying version so I would have
expected the module automatically to build for the correct policy version
when built on CentOS 6.  Any pointers where to look or what to do next?

Moray.
"To err is human; to purr, feline."

--
selinux mailing list
selinux <at> lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
Permalink | Reply | 0 comments |
headers
Chuck Anderson | 18 May 01:32
Favicon

EL6: procmail vs. /home/*/bin/shellscript.sh

I'm using EL 6.2 with sendmail & procmail.  I'm having trouble with
calling custom scripts in my home directory from .procmailrc such as
this recipe:

######################################################
#
# BACKUP INCOMING MAIL
#
# Stores the last 16 messages in a backup folder.
# "Just in Case"
#
# Create a folder in your $MAILDIR called "backup"
# BEFORE you execute this procmail recipe.
#
:0 c
backup

:0 ic
| /home/cra/bin/procmail-prune-backup-msg

The script is labeled with home_bin_t:

-rwxr-xr-x. cra cra system_u:object_r:home_bin_t:s0  /home/cra/bin/procmail-prune-backup-msg

which is a Bourne Shell script similar to this:

#!/bin/sh
cd /home/cra/mail/backup
/bin/ls -t | /bin/grep ^msg\. | /bin/sed -e 1,256d | /usr/bin/xargs -n 256 /bin/rm -f
(Continue reading)

Permalink | Reply | 2 comments |
headers
Jonathan Gazeley | 15 May 12:37
Picon
Picon
Favicon

No audit lines produced

I'm trying to debug a Nagios plugin that isn't playing nicely with 
SELinux. It executes a system binary to get statistics about DHCP pool 
usage, and obviously SELinux stamps on that access and the plugin only 
returns partial data.

In Permissive mode the plugin works, it Enforcing it doesn't. But in 
neither mode are there any debug messages in audit.log

[jg4461 <at> dhcp1 ~]$ sudo setenforce 0
[jg4461 <at> dhcp1 ~]$ /usr/lib64/nagios/plugins/check_nrpe -H localhost -c 
check_dhcpd_pools
OK - all pools less than 80% full | MAYHEM! rnw-652=45.491%;80;90, 
rnw-653=47.619%;80;90, rnw-654=51.570%;80;90, rnw-655=45.998%;80;90, 
rnw-656=49.949%;80;90, rnw-657=48.126%;80;90, rnw-658=45.390%;80;90, 
rnw-659=0.101%;80;90, rnw-ratelimited-660=0.811%;80;90, 
rnw-onlinepayment-661=0.507%;80;90, rnw-onlinepayment-662=0.304%;80;90, 
rnw-onlinepayment-663=0.405%;80;90, rnw-consoles-665=1.317%;80;90, 
rnw-message-666=0.101%;80;90, rnw-instructions-667=9.411%;80;90

[jg4461 <at> dhcp1 ~]$ sudo setenforce 1
[jg4461 <at> dhcp1 ~]$ /usr/lib64/nagios/plugins/check_nrpe -H localhost -c 
check_dhcpd_pools
OK - all pools less than 80% full |

Regardless of the SELinux mode, the same 3 log lines are printed in 
audit.log:

type=USER_CMD msg=audit(1337077807.188:273642): user pid=1593 uid=0 
auid=56933 ses=12137 subj=unconfined_u:system_r:nrpe_t:s0 msg='cwd="/" 
cmd="/usr/lib64/nagios/plugins/check_dhcpd_pools" terminal=? res=success'
(Continue reading)

Permalink | Reply | 2 comments |
headers
Tim Sheppard | 9 May 16:17

Creating multiple constrained admin roles

Hi,

I was wondering if it is possible to create a number of admin roles, 
each with limited access to specified admin features, e.g. package 
management only, NIC / Firewall management only, policy management only 
etc and to effectively completely remove the root account as a system 
wide administrator using selinux?

I have seen mention of Kiosk Users and the SELinux play machine (sadly 
my corporate network does not allow global ssh access) so I believe this 
is entirely possible, but am not entirely sure of the best resources to 
delve into so any pointers would be very welcome.

Many Thanks,

Tim

This email and any attachments to it may be confidential and are
intended solely for the use of the individual to whom it is addressed.
If you are not the intended recipient of this email, you must neither
take any action based upon its contents, nor copy or show it to anyone.
Please contact the sender if you believe you have received this email in
error. QinetiQ may monitor email traffic data and also the content of
email for the purposes of security. QinetiQ Limited (Registered in
England & Wales: Company Number: 3796233) Registered office: Cody Technology 
Park, Ively Road, Farnborough, Hampshire, GU14 0LX http://www.qinetiq.com.
--
selinux mailing list
selinux <at> lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
(Continue reading)

Permalink | Reply | 1 comment |
headers
Mark Dalton | 7 May 20:29
Picon
Favicon

VirtualGL/TurboVNC and selinux

I was not able to get VirtualGL and selinux to work together.
It is something during boot time it seems.  I have tried generating
rules based on audit/audit.log.

The VirtualGL web http://www.virtualgl.org/Documentation/RHEL6
states they don't know how to make it work either.

I have tried in permissive mode after boot and that did not work either,
which is why I think it is something during boot time.  Like the device
setup. My guess is related to: /dev/dri as it sets up these and then
access to the /dev/nvidia0 and /dev/nvidiactl are restricted to vglusers
group (in my case it can be configured with/without group restriction).

From VirtualGL website they also have:

vglgenkey Issues

Currently, the only known way to make vglgenkey work (vglgenkey is used to grant 3D X Server access to members of the vglusers group) is to disable SELinux. With SELinux enabled, the /usr/bin/xauth file is hidden within the context of the GDM startup scripts, so vglgenkey has no way of generating or importing an xauth key to /etc/opt/VirtualGL/vgl_xauth_key (and, for that matter, access is denied to /etc/opt/VirtualGL as well.)

Perhaps someone with a greater knowledge of SELinux can explain how to disable enforcement only for GDM and not the whole system.

I had reinstalled that previous machine and don't
have the other rules I applied.

I repeated this on another machine, and did not run any audit2allow.

Also there are 2 problems:
    1. Boot time problem with the VirtualGL which seems to generate a
        avc message.  (Fails if the machine is not booted in permissive or
        disabled mode)
    2. A problem with xauth when setenforce is enforcing.
           (This works if setenforce is permissive or disabled regardless
             of the boot time settings).

The machine policy is set to targeted.

Attached is the longer data with strace.   The xauth does not seem
to generate any audit.log messages even with semodule -DB, but if
I turn selinux to permissive the xauth commands succeed.



To clarify:
    - It works if the system is booted with /etc/selinux/config
          SELINUX=permissive
        or
           SELINUX=disable
    - It fails if the system is booted with /etc/selinux/config
           SELINUX=enforcing
       * Even if after the boot 'setenforce 0' is run
          - My

I do get avc message, note this is running in permissive mode.
[root <at> amelie mdalton]# grep -i avc /var/log/audit/audit.log
type=USER_AVC msg=audit(1331199802.711:70545): user pid=4970 uid=28 auid=0 ses=3756 subj=system_u:system_r:nscd_t:s0 msg='avc:  received policyload notice (seqno=4) : exe="?" sauid=28 hostname=? addr=? terminal=?'

[root <at> amelie mdalton]# ls -Z /dev/dri /dev/nvidia*
ls: cannot access /dev/dri: No such file or directory
crw-rw----. root vglusers system_u:object_r:device_t:s0    /dev/nvidia0
crw-rw----. root vglusers system_u:object_r:device_t:s0    /dev/nvidiactl

Mark 


I did not see any messages in the /var/log/audit/audit.log when running xauth
even with semodule -DB.

[root <at> mymachine ~]# ls -Z /home/myuser/.Xauthority
-rw-------. myuser cses unconfined_u:object_r:xauth_home_t:s0 /home/myuser/.Xauthority

[root <at> mymachine ~]# semodule -DB
[root <at> mymachine ~]# strace xauth -f /etc/opt/VirtualGL/vgl_xauth_key generate :0.0 . trusted timeout 0
execve("/usr/bin/xauth", ["xauth", "-f", "/etc/opt/VirtualGL/vgl_xauth_key", "generate",
":0.0", ".", "trusted", "timeout", "0"], [/* 33 vars */]) = 0
brk(0)                                  = 0x1a40000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f696bd82000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY)      = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=161072, ...}) = 0
mmap(NULL, 161072, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f696bd5a000
close(3)                                = 0
open("/usr/lib64/libXau.so.6", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\320\r`\3747\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=13168, ...}) = 0
mmap(0x37fc600000, 2106112, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x37fc600000
mprotect(0x37fc602000, 2097152, PROT_NONE) = 0
mmap(0x37fc802000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x37fc802000
close(3)                                = 0
open("/usr/lib64/libXext.so.6", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\2005\240\3747\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=76848, ...}) = 0
mmap(0x37fca00000, 2170120, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x37fca00000
mprotect(0x37fca11000, 2097152, PROT_NONE) = 0
mmap(0x37fcc11000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x11000)
= 0x37fcc11000
close(3)                                = 0
open("/usr/lib64/libXmuu.so.1", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360\22 \3727\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=16400, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f696bd59000
mmap(0x37fa200000, 2109200, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x37fa200000
mprotect(0x37fa203000, 2093056, PROT_NONE) = 0
mmap(0x37fa402000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x37fa402000
close(3)                                = 0
open("/usr/lib64/libX11.so.6", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\200\335\341\3737\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1308600, ...}) = 0
mmap(0x37fbe00000, 3403160, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x37fbe00000
mprotect(0x37fbf39000, 2097152, PROT_NONE) = 0
mmap(0x37fc139000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3,
0x139000) = 0x37fc139000
close(3)                                = 0
open("/lib64/libc.so.6", O_RDONLY)      = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360\355a\3717\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1908792, ...}) = 0
mmap(0x37f9600000, 3733672, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x37f9600000
mprotect(0x37f9786000, 2097152, PROT_NONE) = 0
mmap(0x37f9986000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3,
0x186000) = 0x37f9986000
mmap(0x37f998b000, 18600, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x37f998b000
close(3)                                = 0
open("/usr/lib64/libxcb.so.1", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\206 \3747\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=112760, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f696bd58000
mmap(0x37fc200000, 2205608, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x37fc200000
mprotect(0x37fc21b000, 2093056, PROT_NONE) = 0
mmap(0x37fc41a000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1a000)
= 0x37fc41a000
close(3)                                = 0
open("/lib64/libdl.so.2", O_RDONLY)     = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\340\r\340\3717\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=22536, ...}) = 0
mmap(0x37f9e00000, 2109696, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x37f9e00000
mprotect(0x37f9e02000, 2097152, PROT_NONE) = 0
mmap(0x37fa002000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x37fa002000
close(3)                                = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f696bd57000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f696bd56000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f696bd55000
arch_prctl(ARCH_SET_FS, 0x7f696bd56700) = 0
mprotect(0x37f9986000, 16384, PROT_READ) = 0
mprotect(0x37fa002000, 4096, PROT_READ) = 0
mprotect(0x37f941f000, 4096, PROT_READ) = 0
munmap(0x7f696bd5a000, 161072)          = 0
rt_sigaction(SIGINT, {0x403f40, [INT], SA_RESTORER|SA_RESTART, 0x37f9632900}, {SIG_DFL, [], 0}, 8)
= 0
rt_sigaction(SIGTERM, {0x403f40, [TERM], SA_RESTORER|SA_RESTART, 0x37f9632900}, {SIG_DFL, [], 0},
8) = 0
rt_sigaction(SIGHUP, {0x403f40, [HUP], SA_RESTORER|SA_RESTART, 0x37f9632900}, {SIG_DFL, [], 0}, 8)
= 0
rt_sigaction(SIGPIPE, {0x403f40, [PIPE], SA_RESTORER|SA_RESTART, 0x37f9632900}, {SIG_DFL, [], 0},
8) = 0
stat("/etc/opt/VirtualGL/vgl_xauth_key-c", {st_mode=S_IFREG|0644, st_size=0, ...}) = 0
open("/etc/opt/VirtualGL/vgl_xauth_key-c", O_WRONLY|O_CREAT|O_EXCL, 0600) = -1 EEXIST (File exists)
write(2, "xauth:  error in locking authori"..., 73xauth:  error in locking authority file /etc/opt/VirtualGL/vgl_xauth_key
) = 73
exit_group(1)                           = ?
[root <at> mymachine ~]# rm /etc/opt/VirtualGL/vgl_xauth_key-c
rm: remove regular empty file `/etc/opt/VirtualGL/vgl_xauth_key-c'? y
[root <at> mymachine ~]# strace xauth -vvv -f /etc/opt/VirtualGL/vgl_xauth_key generate :0.0 . trusted
timeout 0
execve("/usr/bin/xauth", ["xauth", "-vvv", "-f", "/etc/opt/VirtualGL/vgl_xauth_key",
"generate", ":0.0", ".", "trusted", "timeout", "0"], [/* 33 vars */]) = 0
brk(0)                                  = 0x12cc000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f80b13dc000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY)      = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=161072, ...}) = 0
mmap(NULL, 161072, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f80b13b4000
close(3)                                = 0
open("/usr/lib64/libXau.so.6", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\320\r`\3747\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=13168, ...}) = 0
mmap(0x37fc600000, 2106112, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x37fc600000
mprotect(0x37fc602000, 2097152, PROT_NONE) = 0
mmap(0x37fc802000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x37fc802000
close(3)                                = 0
open("/usr/lib64/libXext.so.6", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\2005\240\3747\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=76848, ...}) = 0
mmap(0x37fca00000, 2170120, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x37fca00000
mprotect(0x37fca11000, 2097152, PROT_NONE) = 0
mmap(0x37fcc11000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x11000)
= 0x37fcc11000
close(3)                                = 0
open("/usr/lib64/libXmuu.so.1", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360\22 \3727\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=16400, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f80b13b3000
mmap(0x37fa200000, 2109200, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x37fa200000
mprotect(0x37fa203000, 2093056, PROT_NONE) = 0
mmap(0x37fa402000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x37fa402000
close(3)                                = 0
open("/usr/lib64/libX11.so.6", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\200\335\341\3737\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1308600, ...}) = 0
mmap(0x37fbe00000, 3403160, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x37fbe00000
mprotect(0x37fbf39000, 2097152, PROT_NONE) = 0
mmap(0x37fc139000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3,
0x139000) = 0x37fc139000
close(3)                                = 0
open("/lib64/libc.so.6", O_RDONLY)      = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360\355a\3717\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1908792, ...}) = 0
mmap(0x37f9600000, 3733672, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x37f9600000
mprotect(0x37f9786000, 2097152, PROT_NONE) = 0
mmap(0x37f9986000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3,
0x186000) = 0x37f9986000
mmap(0x37f998b000, 18600, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x37f998b000
close(3)                                = 0
open("/usr/lib64/libxcb.so.1", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\206 \3747\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=112760, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f80b13b2000
mmap(0x37fc200000, 2205608, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x37fc200000
mprotect(0x37fc21b000, 2093056, PROT_NONE) = 0
mmap(0x37fc41a000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1a000)
= 0x37fc41a000
close(3)                                = 0
open("/lib64/libdl.so.2", O_RDONLY)     = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\340\r\340\3717\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=22536, ...}) = 0
mmap(0x37f9e00000, 2109696, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x37f9e00000
mprotect(0x37f9e02000, 2097152, PROT_NONE) = 0
mmap(0x37fa002000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x37fa002000
close(3)                                = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f80b13b1000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f80b13b0000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f80b13af000
arch_prctl(ARCH_SET_FS, 0x7f80b13b0700) = 0
mprotect(0x37f9986000, 16384, PROT_READ) = 0
mprotect(0x37fa002000, 4096, PROT_READ) = 0
mprotect(0x37f941f000, 4096, PROT_READ) = 0
munmap(0x7f80b13b4000, 161072)          = 0
rt_sigaction(SIGINT, {0x403f40, [INT], SA_RESTORER|SA_RESTART, 0x37f9632900}, {SIG_DFL, [], 0}, 8)
= 0
rt_sigaction(SIGTERM, {0x403f40, [TERM], SA_RESTORER|SA_RESTART, 0x37f9632900}, {SIG_DFL, [], 0},
8) = 0
rt_sigaction(SIGHUP, {0x403f40, [HUP], SA_RESTORER|SA_RESTART, 0x37f9632900}, {SIG_DFL, [], 0}, 8)
= 0
rt_sigaction(SIGPIPE, {0x403f40, [PIPE], SA_RESTORER|SA_RESTART, 0x37f9632900}, {SIG_DFL, [], 0},
8) = 0
stat("/etc/opt/VirtualGL/vgl_xauth_key-c", 0x7fff3f1050a0) = -1 ENOENT (No such file or directory)
open("/etc/opt/VirtualGL/vgl_xauth_key-c", O_WRONLY|O_CREAT|O_EXCL, 0600) = -1 EACCES
(Permission denied)
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigaction(SIGCHLD, NULL, {SIG_DFL, [], 0}, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
nanosleep({2, 0}, 0x7fff3f105060)       = 0
open("/etc/opt/VirtualGL/vgl_xauth_key-c", O_WRONLY|O_CREAT|O_EXCL, 0600) = -1 EACCES
(Permission denied)
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigaction(SIGCHLD, NULL, {SIG_DFL, [], 0}, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
nanosleep({2, 0}, 0x7fff3f105060)       = 0
open("/etc/opt/VirtualGL/vgl_xauth_key-c", O_WRONLY|O_CREAT|O_EXCL, 0600) = -1 EACCES
(Permission denied)
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigaction(SIGCHLD, NULL, {SIG_DFL, [], 0}, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
nanosleep({2, 0}, 0x7fff3f105060)       = 0
open("/etc/opt/VirtualGL/vgl_xauth_key-c", O_WRONLY|O_CREAT|O_EXCL, 0600) = -1 EACCES
(Permission denied)
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigaction(SIGCHLD, NULL, {SIG_DFL, [], 0}, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
nanosleep({2, 0}, 0x7fff3f105060)       = 0
open("/etc/opt/VirtualGL/vgl_xauth_key-c", O_WRONLY|O_CREAT|O_EXCL, 0600) = -1 EACCES
(Permission denied)
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigaction(SIGCHLD, NULL, {SIG_DFL, [], 0}, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
nanosleep({2, 0}, 0x7fff3f105060)       = 0
open("/etc/opt/VirtualGL/vgl_xauth_key-c", O_WRONLY|O_CREAT|O_EXCL, 0600) = -1 EACCES
(Permission denied)
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigaction(SIGCHLD, NULL, {SIG_DFL, [], 0}, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
nanosleep({2, 0}, 0x7fff3f105060)       = 0
open("/etc/opt/VirtualGL/vgl_xauth_key-c", O_WRONLY|O_CREAT|O_EXCL, 0600) = -1 EACCES
(Permission denied)
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigaction(SIGCHLD, NULL, {SIG_DFL, [], 0}, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
nanosleep({2, 0}, 0x7fff3f105060)       = 0
open("/etc/opt/VirtualGL/vgl_xauth_key-c", O_WRONLY|O_CREAT|O_EXCL, 0600) = -1 EACCES
(Permission denied)
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigaction(SIGCHLD, NULL, {SIG_DFL, [], 0}, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
nanosleep({2, 0}, 0x7fff3f105060)       = 0
open("/etc/opt/VirtualGL/vgl_xauth_key-c", O_WRONLY|O_CREAT|O_EXCL, 0600) = -1 EACCES
(Permission denied)
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigaction(SIGCHLD, NULL, {SIG_DFL, [], 0}, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
nanosleep({2, 0}, 0x7fff3f105060)       = 0
open("/etc/opt/VirtualGL/vgl_xauth_key-c", O_WRONLY|O_CREAT|O_EXCL, 0600) = -1 EACCES
(Permission denied)
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigaction(SIGCHLD, NULL, {SIG_DFL, [], 0}, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
nanosleep({2, 0}, 0x7fff3f105060)       = 0
write(2, "xauth:  timeout in locking autho"..., 75xauth:  timeout in locking authority file /etc/opt/VirtualGL/vgl_xauth_key
) = 75
exit_group(1)                           = ?
[root <at> mymachine ~]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted
[root <at> mymachine ~]# setenforce permissive
[root <at> mymachine ~]# strace xauth -vvv -f /etc/opt/VirtualGL/vgl_xauth_key generate :0.0 . trusted
timeout 0
execve("/usr/bin/xauth", ["xauth", "-vvv", "-f", "/etc/opt/VirtualGL/vgl_xauth_key",
"generate", ":0.0", ".", "trusted", "timeout", "0"], [/* 33 vars */]) = 0
brk(0)                                  = 0x1fc1000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9067658000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY)      = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=161072, ...}) = 0
mmap(NULL, 161072, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f9067630000
close(3)                                = 0
open("/usr/lib64/libXau.so.6", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\320\r`\3747\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=13168, ...}) = 0
mmap(0x37fc600000, 2106112, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x37fc600000
mprotect(0x37fc602000, 2097152, PROT_NONE) = 0
mmap(0x37fc802000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x37fc802000
close(3)                                = 0
open("/usr/lib64/libXext.so.6", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\2005\240\3747\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=76848, ...}) = 0
mmap(0x37fca00000, 2170120, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x37fca00000
mprotect(0x37fca11000, 2097152, PROT_NONE) = 0
mmap(0x37fcc11000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x11000)
= 0x37fcc11000
close(3)                                = 0
open("/usr/lib64/libXmuu.so.1", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360\22 \3727\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=16400, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f906762f000
mmap(0x37fa200000, 2109200, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x37fa200000
mprotect(0x37fa203000, 2093056, PROT_NONE) = 0
mmap(0x37fa402000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x37fa402000
close(3)                                = 0
open("/usr/lib64/libX11.so.6", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\200\335\341\3737\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1308600, ...}) = 0
mmap(0x37fbe00000, 3403160, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x37fbe00000
mprotect(0x37fbf39000, 2097152, PROT_NONE) = 0
mmap(0x37fc139000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3,
0x139000) = 0x37fc139000
close(3)                                = 0
open("/lib64/libc.so.6", O_RDONLY)      = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360\355a\3717\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1908792, ...}) = 0
mmap(0x37f9600000, 3733672, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x37f9600000
mprotect(0x37f9786000, 2097152, PROT_NONE) = 0
mmap(0x37f9986000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3,
0x186000) = 0x37f9986000
mmap(0x37f998b000, 18600, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x37f998b000
close(3)                                = 0
open("/usr/lib64/libxcb.so.1", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\206 \3747\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=112760, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f906762e000
mmap(0x37fc200000, 2205608, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x37fc200000
mprotect(0x37fc21b000, 2093056, PROT_NONE) = 0
mmap(0x37fc41a000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1a000)
= 0x37fc41a000
close(3)                                = 0
open("/lib64/libdl.so.2", O_RDONLY)     = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\340\r\340\3717\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=22536, ...}) = 0
mmap(0x37f9e00000, 2109696, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x37f9e00000
mprotect(0x37f9e02000, 2097152, PROT_NONE) = 0
mmap(0x37fa002000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x37fa002000
close(3)                                = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f906762d000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f906762c000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f906762b000
arch_prctl(ARCH_SET_FS, 0x7f906762c700) = 0
mprotect(0x37f9986000, 16384, PROT_READ) = 0
mprotect(0x37fa002000, 4096, PROT_READ) = 0
mprotect(0x37f941f000, 4096, PROT_READ) = 0
munmap(0x7f9067630000, 161072)          = 0
rt_sigaction(SIGINT, {0x403f40, [INT], SA_RESTORER|SA_RESTART, 0x37f9632900}, {SIG_DFL, [], 0}, 8)
= 0
rt_sigaction(SIGTERM, {0x403f40, [TERM], SA_RESTORER|SA_RESTART, 0x37f9632900}, {SIG_DFL, [], 0},
8) = 0
rt_sigaction(SIGHUP, {0x403f40, [HUP], SA_RESTORER|SA_RESTART, 0x37f9632900}, {SIG_DFL, [], 0}, 8)
= 0
rt_sigaction(SIGPIPE, {0x403f40, [PIPE], SA_RESTORER|SA_RESTART, 0x37f9632900}, {SIG_DFL, [], 0},
8) = 0
stat("/etc/opt/VirtualGL/vgl_xauth_key-c", 0x7fff037ae1e0) = -1 ENOENT (No such file or directory)
open("/etc/opt/VirtualGL/vgl_xauth_key-c", O_WRONLY|O_CREAT|O_EXCL, 0600) = 3
close(3)                                = 0
statfs("/etc/opt/VirtualGL/vgl_xauth_key-c", {f_type="EXT2_SUPER_MAGIC", f_bsize=4096,
f_blocks=37797427, f_bfree=22169622, f_bavail=20249622, f_files=9601024, f_ffree=9018205,
f_fsid={1618940619, -282490467}, f_namelen=255, f_frsize=4096}) = 0
link("/etc/opt/VirtualGL/vgl_xauth_key-c", "/etc/opt/VirtualGL/vgl_xauth_key-l") = 0
access("/etc/opt/VirtualGL/vgl_xauth_key", F_OK) = -1 ENOENT (No such file or directory)
umask(077)                              = 022
brk(0)                                  = 0x1fc1000
brk(0x1fe2000)                          = 0x1fe2000
open("/etc/opt/VirtualGL/vgl_xauth_key", O_RDONLY) = -1 ENOENT (No such file or directory)
access("/etc/opt/VirtualGL/vgl_xauth_key", F_OK) = -1 ENOENT (No such file or directory)
write(2, "xauth:  creating new authority f"..., 69xauth:  creating new authority file /etc/opt/VirtualGL/vgl_xauth_key
) = 69
fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 3), ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9067657000
write(1, "Using authority file /etc/opt/Vi"..., 54Using authority file /etc/opt/VirtualGL/vgl_xauth_key
) = 54
socket(PF_FILE, SOCK_STREAM, 0)         = 3
connect(3, {sa_family=AF_FILE, path=@"/tmp/.X11-unix/X0"}, 20) = 0
getpeername(3, {sa_family=AF_FILE, path=@"/tmp/.X11-unix/X0"}, [20]) = 0
uname({sys="Linux", node="mymachine.domain.org", ...}) = 0
access("/var/run/gdm/auth-for-myuser-8uJHLe/database", R_OK) = 0
open("/var/run/gdm/auth-for-myuser-8uJHLe/database", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0600, st_size=65, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9067656000
read(4, "\1\0\0\24mymachine.domain.org\0\0010\0\22MIT"..., 4096) = 65
close(4)                                = 0
munmap(0x7f9067656000, 4096)            = 0
getsockname(3, {sa_family=AF_FILE, NULL}, [2]) = 0
fcntl(3, F_GETFL)                       = 0x2 (flags O_RDWR)
fcntl(3, F_SETFL, O_RDWR|O_NONBLOCK)    = 0
fcntl(3, F_SETFD, FD_CLOEXEC)           = 0
poll([{fd=3, events=POLLIN|POLLOUT}], 1, -1) = 1 ([{fd=3, revents=POLLOUT}])
writev(3, [{"l\0\v\0\0\0\22\0\20\0\0\0", 12}, {"", 0}, {"MIT-MAGIC-COOKIE-1", 18}, {"\0\0", 2},
{"\5\342\233\2637\16\266\371\366\21\307\210z<Bz", 16}, {"", 0}], 6) = 48
read(3, 0x1fc75b0, 8)                   = -1 EAGAIN (Resource temporarily unavailable)
poll([{fd=3, events=POLLIN}], 1, -1)    = 1 ([{fd=3, revents=POLLIN}])
read(3, "\1\0\v\0\0\0\2\3", 8)          = 8
read(3, "`\350\247\0\0\0@\3\377\377\37\0\0\1\0\0\r\0\377\377\1\7\0\0  \10\377\0\0\0\0"...,
3080) = 3080
poll([{fd=3, events=POLLIN|POLLOUT}], 1, -1) = 1 ([{fd=3, revents=POLLOUT}])
writev(3, [{"b\0\5\0\f\0\0\0BIG-REQUESTS", 20}], 1) = 20
poll([{fd=3, events=POLLIN}], 1, -1)    = 1 ([{fd=3, revents=POLLIN}])
read(3, "\1\0\1\0\0\0\0\0\1\222\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 4096) = 32
poll([{fd=3, events=POLLIN|POLLOUT}], 1, -1) = 1 ([{fd=3, revents=POLLOUT}])
writev(3, [{"\222\0\1\0", 4}], 1)       = 4
poll([{fd=3, events=POLLIN}], 1, -1)    = 1 ([{fd=3, revents=POLLIN}])
read(3, "\1\0\2\0\0\0\0\0\377\377?\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 4096) = 32
read(3, 0x1fc2414, 4096)                = -1 EAGAIN (Resource temporarily unavailable)
poll([{fd=3, events=POLLIN|POLLOUT}], 1, -1) = 1 ([{fd=3, revents=POLLOUT}])
writev(3,
[{"7\0\5\0\0\0@\3\255\1\0\0\10\0\0\0\377\377\377\0\24\0\6\0\255\1\0\0\27\0\0\0"..., 44},
{NULL, 0}, {"", 0}], 3) = 44
poll([{fd=3, events=POLLIN}], 1, -1)    = 1 ([{fd=3, revents=POLLIN}])
read(3, "\1\10\4\0(\0\0\0\37\0\0\0\0\0\0\0\237\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 4096) = 192
read(3, 0x1fc2414, 4096)                = -1 EAGAIN (Resource temporarily unavailable)
poll([{fd=3, events=POLLIN|POLLOUT}], 1, -1) = 1 ([{fd=3, revents=POLLOUT}])
writev(3, [{"b\0\5\0\t\0@\3", 8}, {"XKEYBOARD", 9}, {"\0\0\0", 3}], 3) = 20
poll([{fd=3, events=POLLIN}], 1, -1)    = 1 ([{fd=3, revents=POLLIN}])
read(3, "\1\0\5\0\0\0\0\0\1\224w\253\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 4096) = 32
read(3, 0x1fc2414, 4096)                = -1 EAGAIN (Resource temporarily unavailable)
poll([{fd=3, events=POLLIN|POLLOUT}], 1, -1) = 1 ([{fd=3, revents=POLLOUT}])
writev(3, [{"\224\0\2\0\1\0\0\0", 8}, {NULL, 0}, {"", 0}], 3) = 8
poll([{fd=3, events=POLLIN}], 1, -1)    = 1 ([{fd=3, revents=POLLIN}])
read(3, "\1\1\6\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 4096) = 32
read(3, 0x1fc2414, 4096)                = -1 EAGAIN (Resource temporarily unavailable)
poll([{fd=3, events=POLLIN|POLLOUT}], 1, -1) = 1 ([{fd=3, revents=POLLOUT}])
writev(3, [{"b\0\4\0\10\0\0\0", 8}, {"SECURITY", 8}, {"", 0}], 3) = 16
poll([{fd=3, events=POLLIN}], 1, -1)    = 1 ([{fd=3, revents=POLLIN}])
read(3, "\1\0\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 4096) = 32
read(3, 0x1fc2414, 4096)                = -1 EAGAIN (Resource temporarily unavailable)
write(2, "xauth: (argv):1:  ", 18xauth: (argv):1:  )      = 18
write(2, "couldn't query Security extensio"..., 52couldn't query Security extension on display ":0.0"
) = 52
unlink("/etc/opt/VirtualGL/vgl_xauth_key-c") = 0
unlink("/etc/opt/VirtualGL/vgl_xauth_key-l") = 0
umask(022)                              = 077
exit_group(1)                           = ?

[root <at> mymachine ~]# semodule -B

And normally this is what vglgenkey would do, it is a script that calls xauth, this is the
script with -x and strace of  the second xauth.

[root <at> mymachine myuser]# vglgenkey
+ XAUTH=xauth
+ '[' -x /usr/X11R6/bin/xauth ']'
+ '[' -x /usr/openwin/bin/xauth ']'
+ '[' '!' -d /etc/opt/VirtualGL ']'
+ '[' -f /etc/opt/VirtualGL/vgl_xauth_key ']'
+ rm /etc/opt/VirtualGL/vgl_xauth_key
+ xauth -f /etc/opt/VirtualGL/vgl_xauth_key generate :0.0 . trusted timeout 0
xauth:  creating new authority file /etc/opt/VirtualGL/vgl_xauth_key
xauth: (argv):1:  couldn't query Security extension on display ":0.0"
++ xauth list
++ awk '{print $3}'
+ strace xauth -f /etc/opt/VirtualGL/vgl_xauth_key add :0.0 . 05e29bb3370eb6f9f611c7887a3c427a
execve("/usr/bin/xauth", ["xauth", "-f", "/etc/opt/VirtualGL/vgl_xauth_key", "add", ":0.0", ".",
"05e29bb3370eb6f9f611c7887a3c427a"], [/* 32 vars */]) = 0
brk(0)                                  = 0xbd5000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f30a4e21000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY)      = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=161072, ...}) = 0
mmap(NULL, 161072, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f30a4df9000
close(3)                                = 0
open("/usr/lib64/libXau.so.6", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\320\r`\3747\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=13168, ...}) = 0
mmap(0x37fc600000, 2106112, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x37fc600000
mprotect(0x37fc602000, 2097152, PROT_NONE) = 0
mmap(0x37fc802000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x37fc802000
close(3)                                = 0
open("/usr/lib64/libXext.so.6", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\2005\240\3747\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=76848, ...}) = 0
mmap(0x37fca00000, 2170120, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x37fca00000
mprotect(0x37fca11000, 2097152, PROT_NONE) = 0
mmap(0x37fcc11000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x11000)
= 0x37fcc11000
close(3)                                = 0
open("/usr/lib64/libXmuu.so.1", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360\22 \3727\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=16400, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f30a4df8000
mmap(0x37fa200000, 2109200, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x37fa200000
mprotect(0x37fa203000, 2093056, PROT_NONE) = 0
mmap(0x37fa402000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x37fa402000
close(3)                                = 0
open("/usr/lib64/libX11.so.6", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\200\335\341\3737\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1308600, ...}) = 0
mmap(0x37fbe00000, 3403160, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x37fbe00000
mprotect(0x37fbf39000, 2097152, PROT_NONE) = 0
mmap(0x37fc139000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3,
0x139000) = 0x37fc139000
close(3)                                = 0
open("/lib64/libc.so.6", O_RDONLY)      = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360\355a\3717\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1908792, ...}) = 0
mmap(0x37f9600000, 3733672, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x37f9600000
mprotect(0x37f9786000, 2097152, PROT_NONE) = 0
mmap(0x37f9986000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3,
0x186000) = 0x37f9986000
mmap(0x37f998b000, 18600, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x37f998b000
close(3)                                = 0
open("/usr/lib64/libxcb.so.1", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\206 \3747\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=112760, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f30a4df7000
mmap(0x37fc200000, 2205608, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x37fc200000
mprotect(0x37fc21b000, 2093056, PROT_NONE) = 0
mmap(0x37fc41a000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1a000)
= 0x37fc41a000
close(3)                                = 0
open("/lib64/libdl.so.2", O_RDONLY)     = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\340\r\340\3717\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=22536, ...}) = 0
mmap(0x37f9e00000, 2109696, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x37f9e00000
mprotect(0x37f9e02000, 2097152, PROT_NONE) = 0
mmap(0x37fa002000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x37fa002000
close(3)                                = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f30a4df6000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f30a4df5000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f30a4df4000
arch_prctl(ARCH_SET_FS, 0x7f30a4df5700) = 0
mprotect(0x37f9986000, 16384, PROT_READ) = 0
mprotect(0x37fa002000, 4096, PROT_READ) = 0
mprotect(0x37f941f000, 4096, PROT_READ) = 0
munmap(0x7f30a4df9000, 161072)          = 0
rt_sigaction(SIGINT, {0x403f40, [INT], SA_RESTORER|SA_RESTART, 0x37f9632900}, {SIG_DFL, [], 0}, 8)
= 0
rt_sigaction(SIGTERM, {0x403f40, [TERM], SA_RESTORER|SA_RESTART, 0x37f9632900}, {SIG_DFL, [], 0},
8) = 0
rt_sigaction(SIGHUP, {0x403f40, [HUP], SA_RESTORER|SA_RESTART, 0x37f9632900}, {SIG_DFL, [], 0}, 8)
= 0
rt_sigaction(SIGPIPE, {0x403f40, [PIPE], SA_RESTORER|SA_RESTART, 0x37f9632900}, {SIG_DFL, [], 0},
8) = 0
stat("/etc/opt/VirtualGL/vgl_xauth_key-c", 0x7fffc2278980) = -1 ENOENT (No such file or directory)
open("/etc/opt/VirtualGL/vgl_xauth_key-c", O_WRONLY|O_CREAT|O_EXCL, 0600) = 3
close(3)                                = 0
statfs("/etc/opt/VirtualGL/vgl_xauth_key-c", {f_type="EXT2_SUPER_MAGIC", f_bsize=4096,
f_blocks=37797427, f_bfree=22169618, f_bavail=20249618, f_files=9601024, f_ffree=9018201,
f_fsid={1618940619, -282490467}, f_namelen=255, f_frsize=4096}) = 0
link("/etc/opt/VirtualGL/vgl_xauth_key-c", "/etc/opt/VirtualGL/vgl_xauth_key-l") = 0
access("/etc/opt/VirtualGL/vgl_xauth_key", F_OK) = -1 ENOENT (No such file or directory)
umask(077)                              = 022
brk(0)                                  = 0xbd5000
brk(0xbf6000)                           = 0xbf6000
open("/etc/opt/VirtualGL/vgl_xauth_key", O_RDONLY) = -1 ENOENT (No such file or directory)
access("/etc/opt/VirtualGL/vgl_xauth_key", F_OK) = -1 ENOENT (No such file or directory)
write(2, "xauth:  creating new authority f"..., 69xauth:  creating new authority file /etc/opt/VirtualGL/vgl_xauth_key
) = 69
uname({sys="Linux", node="mymachine.domain.org", ...}) = 0
unlink("/etc/opt/VirtualGL/vgl_xauth_key-n") = -1 ENOENT (No such file or directory)
open("/etc/opt/VirtualGL/vgl_xauth_key-n", O_WRONLY|O_CREAT|O_EXCL, 0600) = 3
fcntl(3, F_GETFL)                       = 0x8001 (flags O_WRONLY|O_LARGEFILE)
fstat(3, {st_mode=S_IFREG|0600, st_size=0, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f30a4e20000
lseek(3, 0, SEEK_CUR)                   = 0
write(3, "\1\0\0\24mymachine.domain.org\0\0010\0\22MIT"..., 65) = 65
close(3)                                = 0
munmap(0x7f30a4e20000, 4096)            = 0
unlink("/etc/opt/VirtualGL/vgl_xauth_key") = -1 ENOENT (No such file or directory)
link("/etc/opt/VirtualGL/vgl_xauth_key-n", "/etc/opt/VirtualGL/vgl_xauth_key") = 0
unlink("/etc/opt/VirtualGL/vgl_xauth_key-n") = 0
unlink("/etc/opt/VirtualGL/vgl_xauth_key-c") = 0
unlink("/etc/opt/VirtualGL/vgl_xauth_key-l") = 0
umask(022)                              = 077
exit_group(0)                           = ?
+ chmod 644 /etc/opt/VirtualGL/vgl_xauth_key

[root <at> mymachine myuser]#  ls -Z /etc/opt/VirtualGL/vgl_xauth_key
-rw-r--r--. root root unconfined_u:object_r:etc_t:s0   /etc/opt/VirtualGL/vgl_xauth_key


--
selinux mailing list
selinux <at> lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
Permalink | Reply | 3 comments |
headers
casinee app | 3 May 11:03
Picon

Can't login the embedded linux with seliux support

hello,
i build a linux system with selinux support for my embedded device. It
now can login as the root user automatically when it is powered on.
Then i copy the fiels( shadow ,group and passwd) in my PC linux system
to the embedded system, and add the login to it. But after i input the
username and pass word, it output like this :

login:root
password:
login:Can’t get SID for root

The output comes from the file  login.c in busybox, how can i sovle
this problem?
Does this problem comes from the error in my policy? or the lib
related to the selinux?
--
selinux mailing list
selinux <at> lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
Permalink | Reply | 0 comments |
headers
David Highley | 2 May 06:26
Favicon

MySQL and ldconif avcs

Getting two avc's that trouble shooter indicates there is policy to
allow the operations.

I believe the sebool "mysql_connect_any" may correct the following avc:
time->Tue May  1 18:17:25 2012
type=SYSCALL msg=audit(1335921445.082:4514): arch=c000003e syscall=21
success=no exit=-13 a0=7f406ac5d9f0 a1=4 a2=7f406ac5d9fe a3=1c items=0
ppid=1 pid=24416 auid=4294967295 uid=27 gid=27 euid=27 suid=27 fsuid=27
egid=27 sgid=27 fsgid=27 tty=(none) ses=4294967295 comm="mysqld"
exe="/usr/libexec/mysqld" subj=system_u:system_r:mysqld_t:s0 key=(null)
type=AVC msg=audit(1335921445.082:4514): avc:  denied  { read } for
pid=24416 comm="mysqld" name="unix" dev="proc" ino=4026532000
scontext=system_u:system_r:mysqld_t:s0
tcontext=system_u:object_r:proc_net_t:s0 tclass=file

But I have no clue which bool would correct the following:
time->Tue May  1 19:01:13 2012
type=SYSCALL msg=audit(1335924073.146:4554): arch=c000003e syscall=59
success=yes exit=0 a0=f293b0 a1=f294b0 a2=f283b0 a3=18 items=0
ppid=25927 pid=25928 auid=4294967295 uid=989 gid=983 euid=989 suid=989
fsuid=989 egid=983 sgid=983 fsgid=983 tty=(none) ses=4294967295
comm="ldconfig" exe="/sbin/ldconfig"
subj=system_u:system_r:ldconfig_t:s0 key=(null)
type=AVC msg=audit(1335924073.146:4554): avc:  denied  { write } for
pid=25928 comm="ldconfig"
path=2F746D702F666669536752617269202864656C6574656429 dev="dm-1"
ino=1836898 scontext=system_u:system_r:ldconfig_t:s0
tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file

--
selinux mailing list
selinux <at> lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
Permalink | Reply | 4 comments |
headers
Frank Murphy | 29 Apr 10:38
Picon
Gravatar

Bootup avc, "systemd-tmpfile" important?

Box was set to "fixfiles onboot"

Saw this avc:
*** Warning -- SELinux targeted policy relabel is required.
*** Relabeling could take a very long time, depending on file
*** system size and speed of hard drives.
[    8.566136] type=1400 audit(1335687882.859:7): avc:  denied  {
relabelfrom } for  pid=489 comm="systemd-tmpfile" name="lp2"
dev="devtmpfs" ino=11419
scontext=system_u:system_r:systemd_tmpfiles_t:s0
tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file
[    8.588374] type=1400 audit(1335687882.881:8): avc:  denied  {
relabelto } for  pid=489 comm="systemd-tmpfile" name="lp2"
dev="devtmpfs" ino=11419
scontext=system_u:system_r:systemd_tmpfiles_t:s0
tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file

selinux-policy-targeted-3.10.0-118.fc17.noarch

--

-- 
Regards,

Frank Murphy
UTF_8 Encoded
Friend of fedoraproject.org
--
selinux mailing list
selinux <at> lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
Permalink | Reply | 7 comments |
headers
Antonio Olivares | 28 Apr 22:02
Picon
Favicon

several denials that don't get noticed by seatrouble shoot alerts

Dear folks,

I have some denials that don't appear in sea alert tool:

[   26.964346] SELinux: initialized (dev sda5, type ext4), uses xattr
[   37.206747] EXT4-fs (dm-2): mounted filesystem with ordered data mode. Opts: (null)
[   37.211983] SELinux: initialized (dev dm-2, type ext4), uses xattr
[   37.608076] type=1400 audit(1335642984.005:4): avc:  denied  { relabelfrom } for  pid=607
comm="systemd-tmpfile" name="lp0" dev="devtmpfs" ino=12221
scontext=system_u:system_r:systemd_tmpfiles_t:s0
tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file
[   37.620822] type=1400 audit(1335642984.017:5): avc:  denied  { relabelfrom } for  pid=607
comm="systemd-tmpfile" name="lp1" dev="devtmpfs" ino=12223
scontext=system_u:system_r:systemd_tmpfiles_t:s0
tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file
[   37.635066] type=1400 audit(1335642984.031:6): avc:  denied  { relabelfrom } for  pid=607
comm="systemd-tmpfile" name="lp2" dev="devtmpfs" ino=12224
scontext=system_u:system_r:systemd_tmpfiles_t:s0
tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file
[   37.650084] type=1400 audit(1335642984.046:7): avc:  denied  { relabelfrom } for  pid=607
comm="systemd-tmpfile" name="lp3" dev="devtmpfs" ino=12225
scontext=system_u:system_r:systemd_tmpfiles_t:s0
tcontext=system_u:object_r:printer_device_t:s0 tclass=chr_file

Also I have a gut feeling that this in some way is contributing to the system not shutting down and hanging,
having oneself to resort to "pressing and holding power button to make sure system is shutdown".

How do I take care of these?

Thanks and sorry for the noise.

Regards,

Antonio
--
selinux mailing list
selinux <at> lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
Permalink | Reply | 0 comments |

Gmane