Bug 1512128
Summary: | Selinux prevents rpc.gssd and sshd from talking to the new SSSD kerberos key store | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Jason Tibbitts <j> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 27 | CC: | dwalsh, lslebodn, lvrabec, mgrepl, plautrba, pmoore |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.13.1-283.16.fc27 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-11-20 16:55:37 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jason Tibbitts
2017-11-10 22:43:40 UTC
Also, this is with current F27 updates-testing: selinux-policy-3.13.1-283.14.fc27.noarch sssd-1.16.0-2.fc27.x86_64 sssd-kcm-1.16.0-2.fc27.x86_64 nfs-utils-2.1.1-6.rc5.fc27.x86_64 gssproxy-0.7.0-12.fc27.x86_64 kernel-4.13.12-300.fc27.x86_64 Looking at the changelog for 283.15, I don't see anything which looks related but I will certainly try it out when it hits the repos. I cannot see a problem why it should not be allowed. Jasson, is that only AVC which you can see in permissive mode? if yes; then you can use custom policy for now. sh# echo "(allow gssd_t sssd_var_run_t (sock_file (write)))" > /tmp/gssd-kcm.cil sh# semodule -i /tmp/gssd-kcm.cil sh# rm -f /tmp/gssd-kcm.cil Lukas, I think we might introduce new macro to make it more clear what is a purpose. because following line does not look nice to me: sssd_run_stream_connect(gssd_t) maybe can_use_kerberos_kcm(gssd_t) ? That is indeed the only AVC that is seen in permissive mode. So far I've just been using the result of audit2allow: allow gssd_t sssd_var_run_t:sock_file write; which seems semantically the same as what you suggest. (Usually I use audit2allow -M whatever and then tell ansible to do semodule -i whatever.pp, but I'm hoping this can be fixed up officially before I have to go that far.) (In reply to Jason Tibbitts from comment #4) > That is indeed the only AVC that is seen in permissive mode. So far I've > just been using the result of audit2allow: > > allow gssd_t sssd_var_run_t:sock_file write; > That's equivalent of using gssd-kcm.cil. > which seems semantically the same as what you suggest. (Usually I use > audit2allow -M whatever and then tell ansible to do semodule -i whatever.pp, > but I'm hoping this can be fixed up officially before I have to go that far.) Thank you very much for running in enforcing mode. I'll try to contribute patch very soon. I'm not sure if this warrants a separate bug, but I happened to notice another AVC related to the SSSD KCM: type=AVC msg=audit(1510696913.427:3141): avc: denied { write } for pid=25547 comm="sshd" name=".heim_org.h5l.kcm-socket" dev="tmpfs" ino=22056 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_var_run_t:s0 tclass=sock_file permissive=0 I believe this happens when a user logs in via SSH using GSSAPI auth. It does appear to forward the credentials OK (and store them in the KCM) so I'm not sure what, if anything, is broken by this. I suspect there are several other KCM-related selinux issues around. I'm not sure if the full set of things which will talk to it has been audited. However, the can_use_kerberos_kcm() macro proposed earlier does make a good bit of sense. (To me, at least.) An update: the above AVC for sshd_t writing to sshd_var_run_t does prevent sshd from creating the credential cache for the user. So if I have no existing ccache on the machine, I can't log in via ssh because my home directory can't be mounted. Even in permissive mode, there's just the one AVC. I'll add it to my local overrides. selinux-policy-3.13.1-283.16.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-5178e6a393 selinux-policy-3.13.1-283.16.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-5178e6a393 selinux-policy-3.13.1-283.16.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report. |