NoMachine NX, Fedora 9 and SELinux

Posted on by

I upgraded from Fedora 7 to Fedora 9 using preupgrade, and then I couldn’t connect to the NoMachine NX Server. It’s due to SELinux, again (I wrote about this earlier). The approach to solve it is still the same, although the policy is different:

Here’s what my audit.log messages looked like:

May 30 07:48:03 localhost kernel: type=1400 audit(1212155283.470:7): avc:  denied  { getattr } for  pid=876 \
comm="sshd" path="/usr/NX/home/nx/.ssh/authorized_keys2" dev=sda2 ino=70976 \
scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=file \
May 30 08:22:35 localhost kernel: type=1400 audit(1212157355.873:9): avc:  denied  { read } for  pid=872 \
comm="sshd" name="authorized_keys2" dev=sda2 ino=70976 \
scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=file

Here’s how I created and inserted the policy:

cd /etc/selinux
cat /var/log/audit/audit.log | audit2allow -M nx
semodule -i nx.pp

And here’s the nx.te file:

module nx 1.0;
require {
    type sshd_t; 
    type usr_t; 
    class file { read getattr }; 
} 
#============= sshd_t ==============
allow sshd_t usr_t:file { read getattr };

Comments are closed.