I upgraded from Fedora 7 to Fedora 9 using [preupgrade](http://fedoraproject.org/wiki/PreUpgrade), and then I couldn’t connect to the [NoMachine NX Server](http://www.nomachine.com/). It’s due to SELinux, again (I [wrote about this earlier](http://jaredrobinson.com/blog/?p=89)). The approach to solve it is still the same, although the policy is different:
Here’s what my audit.log messages looked like:
May 30 07:48:03 localhost kernel: type=1400 audit(1212155283.470:7): avc: denied { getattr } for pid=876 \
comm=”sshd” path=”/usr/NX/home/nx/.ssh/authorized_keys2″ dev=sda2 ino=70976 \
scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=file \
May 30 08:22:35 localhost kernel: type=1400 audit(1212157355.873:9): avc: denied { read } for pid=872 \
comm=”sshd” name=”authorized_keys2″ dev=sda2 ino=70976 \
scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=file
Here’s how I created and inserted the policy:
cd /etc/selinux
cat /var/log/audit/audit.log | audit2allow -M nx
semodule -i nx.pp
And here’s the nx.te file:
module nx 1.0;
require {
type sshd_t;
type usr_t;
class file { read getattr };
}
#============= sshd_t ==============
allow sshd_t usr_t:file { read getattr };