Bug 1475271
Summary: | svnserve.te does not support GSSAPI for svnserve_t | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Matt Burt <matthew.burt> | ||||
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | ||||
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | high | ||||||
Version: | 7.4 | CC: | cww, lvrabec, matthew.burt, mmalik, plautrba, pvrabec, ralston, ssekidde | ||||
Target Milestone: | rc | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2019-08-06 12:51:45 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 1594286, 1651783 | ||||||
Attachments: |
|
Matt, thank you for posting your policy which makes it working. svnserve should be kerberos aware application. We're also affected by this bug. (Matt, thanks for filing this; you saved us some work.) We have a Red Hat support contract, so I've requested escalation of this bug through our Red Hat support channels. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:2127 |
Created attachment 1304689 [details] Additional type enforcement rules for svnserve_t Description of problem: selinux-policy does not support svnserve running svn protocol using GSSAPI. Version-Release number of selected component (if applicable): 7.4 How reproducible: Happens every time with :- 1. Kerberised subversion server+client 2. selinux in enforcing mode on the server. 3. Client attempts to access server using the SVN protocol. Steps to Reproduce: 1. (on the Kerberos KDC) Create a keytab for the server using the principal name "svn/<hostname>@<realm>" 2. Install OS on server, including subversion RPM. 3. Join server to realm (using adcli/realmd) 4. Create a local SVN repository on the server. 5. Copy keytab to server 6. Configure svnserve to use SASL2 + GSSAPI for authentication. Add the name of a realm user as authorized to read the repository. 7. From a remote client in the realm, log in as the realm user in step 6, and attempt to list the repository using "svn ls svn://<server>/<path to repo>" Actual results: Client error is : svn: E170001: Authentication error from server: SASL(-1): generic failure: GSSAPI Error: An invalid name was supplied (Permission denied) On the server, an audit entry is made similar to the following. ---- time->Wed Jul 26 10:57:25 2017 type=SYSCALL msg=audit(1501063045.818:738): arch=c000003e syscall=4 success=no exit=-13 a0=7f8c96228378 a1=7ffd7ba5a490 a2=7ffd7ba5a490 a3=b items=0 ppid=22518 pid=22534 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="svnserve" exe="/usr/bin/svnserve" subj=system_u:system_r:svnserve_t:s0 key=(null) type=AVC msg=audit(1501063045.818:738): avc: denied { getattr } for pid=22534 comm="svnserve" path="/etc/krb5.conf" dev="dm-0" ino=16787959 scontext=system_u:system_r:svnserve_t:s0 tcontext=system_u:object_r:krb5_conf_t:s0 tclass=file Expected results: Repo listing on the client, and no AVC failure entries in the audit log. Additional info: The problem can be worked around by compiling and installing the attached .te file which contains the required policy entries to use svnserve with Kerberos.