• About

OraManageability

~ Advanced Oracle Systems Management

OraManageability

Tag Archives: /usr/sbin/getenforce

SELinux blocked my .Xauthority

14 Tuesday Jun 2016

Posted by raysmithace in Uncategorized

≈ Leave a comment

Tags

.ssh/config, .Xauthority, /usr/sbin/getenforce, /usr/sbin/setenforce, port forwarding, SElinux

I was attempting to install an OEM management server on a new host in the lab using runInstaller.  Of course the installer is an X-windows app so I need to configure port forwarding to get the display back to MacBook.

I added the new host and its bastion to my ~/.ssh/config file to set up port forwarding:

Host 10.123.45.678
ConnectTimeout 60
StrictHostKeyChecking ask
ProxyCommand none
UserKnownHostsFile ~/.ssh/known_Hosts
User oracle

Host newlaboms.raysdemo.com
ProxyCommand ssh -W %h:%p 10.123.45.678
StrictHostKeyChecking no
UserKnownHostsFile ~/.ssh/known_Hosts
VisualHostKey no
ForwardX11 yes
ForwardAgent yes
User oracle

Pretty straight-forward and it’s worked plenty of times before, so I expected no problems.

Frustration

When I ssh’d to newlaboms I was hit with an xauth error:

xauth:  timeout in locking authority file /home/oracle/.Xauthority

Quick solutions include ensuring proper ownership of my home directory (no problem), that I could write a new file there (touch temp.file — ok), and adequate space on the home’s file system (no problem).

My ‘id’ line looked wrong:

uid=54321(oracle) gid=54321(oinstall) groups=54321(oinstall),54322(dba) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

All that “context=” stuff was added by SELinux.  This is a new host and SELinux is enabled by default and disabled by my S/A’s as part of the build process.  They’d missed it this time – and this is how you check:

> /usr/sbin/getenforce;
Enforcing

Enhanced security is being enforced by SELinux!

Temporary Fix

So try this:

> sudo /usr/sbin/setenforce 0 ;
> /usr/sbin/getenforce;
Permissive

Now log out and back in to notice that your .Xauthority file has been created and port forwarding will work!

Run ‘id’ and you’ll see the simple results you expect.

Permanent Change

The setenforce command does not require a server reboot but it’s also not going to survive a reboot.  To make the change permanent, ask your system admin to edit /etc/selinux/config to set “SELINUX=permissive”

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
#       targeted - Targeted processes are protected,
#       mls - Multi Level Security protection.
SELINUXTYPE=targeted

 

 

 

 

 

Subscribe

  • Entries (RSS)
  • Comments (RSS)

Archives

  • March 2017
  • January 2017
  • December 2016
  • November 2016
  • October 2016
  • September 2016
  • June 2016
  • May 2016
  • March 2016
  • January 2016
  • December 2015
  • November 2015
  • September 2015
  • August 2015
  • June 2015
  • May 2015
  • March 2015
  • February 2015
  • January 2015
  • December 2014
  • November 2014
  • October 2014
  • September 2014
  • July 2014
  • June 2014
  • April 2014
  • March 2014
  • February 2014
  • January 2014
  • December 2013
  • November 2013
  • October 2013
  • September 2013
  • August 2013
  • July 2013
  • June 2013
  • May 2013
  • March 2013
  • February 2013
  • January 2013

Categories

  • BetterTouchTools
  • BI Publisher
  • CAcert
  • EM 12.1.0/4
  • emctl
  • LDAP
  • My Oracle Support
  • ODSM Oracle Directory Services Manager
  • OEM 12c
  • OEM 13c
  • OEM Blackout
  • OEM Named Credentials
  • opmnctl
  • Oracle Inventory
  • Patching
  • PDP
  • Shell scripts
  • startManagedWebLogic.sh
  • SYSMAN
  • Uncategorized
  • updatecomponentregistration
  • User Community Development
  • VirtualBox

Meta

  • Register
  • Log in

Social media

  • View @raysmithace’s profile on Twitter
  • View smithray’s profile on LinkedIn

Top Clicks

  • f5.com/pdf/deployment-gui…
  • community.oracle.com/comm…
  • oracle.com/technetwork/oe…
  • boastr.net
  • oracle.com/technetwork/da…

Blog at WordPress.com.