Bug 170301
| Summary: | Login via Kerberos and NFS4/krb5i | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Joachim Selke <mail> |
| Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 4 | CC: | nalin |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | 1.27.1-2.11 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2005-10-31 19:14:27 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Fixed in selinux-policy-*-1.27.1-2.6 The bug is not fixed yet. I updated a few minutes ago to
selinux-policy-targeted-1.27.1-2.6 and did a complete relabeling of the
filesystem. Here is the result:
The login is successful, but gives the following errors:
Could not chdir to home directory /home/selke: Permission denied
-bash: /home/selke/.bash_profile: Permission denied
/var/log/audit/audit.log says:
type=AVC msg=audit(1129586483.447:34): avc: denied { write } for pid=1903
comm="rpc.gssd" name="krb5cc_10000_8OnCut" dev=hda2 ino=6606226
scontext=system_u:system_r:gssd_t tcontext=system_u:object_r:tmp_t tclass=file
type=SYSCALL msg=audit(1129586483.447:34): arch=40000003 syscall=5 success=no
exit=-13 a0=96b6318 a1=8002 a2=0 a3=8002 items=1 pid=1903 auid=4294967295 uid=0
gid=0 euid=10000 suid=0 fsuid=10000 egid=0 sgid=0 fsgid=0 comm="rpc.gssd"
exe="/usr/sbin/rpc.gssd"
type=CWD msg=audit(1129586483.447:34): cwd="/var/lib/nfs/rpc_pipefs/nfs"
type=PATH msg=audit(1129586483.447:34): item=0 name="/tmp/krb5cc_10000_8OnCut"
flags=101 inode=6606226 dev=03:02 mode=0100600 ouid=10000 ogid=10000 rdev=00:00
These messages are repeated several times.
/var/log/messages:
Oct 18 00:01:23 pupkin rpc.gssd[1903]: WARNING: Failed to create krb5 context
for user with uid 10000 for server obelix.thi.uni-hannover.de
This message is repeated several times too.
Can you remove krb5cc_10000_8OnCut and then try again? Dan I did the following: 1. delete all files in /tmp 2. create /.autorelabel 3. reboot machine 4. login as "selke" (uid 10000) The result is the same as mentioned in my last comment. The only difference is the file name, now it is krb5cc_10000_emxaFS. But this is not remarkable because the name part after the uid seems to be a random sequence. selinux-policy-targeted-1.27.1-2.11 fixed the bug. Thank you! :-) |
Description of problem: I use a combination of Kerberos5 and LDAP on a server server to manage authentication/authorization on clients. On the clients the /home directory is mounted via NFS4/krb5i from the server. In SELinux permissive mode everything works fine, but in enforcing mode users are not able to access their home directories. The login is successful but access to home directory is denied (username=selke, uid=10000): Could not chdir to home directory /home/selke: Permission denied -bash: /home/selke/.bash_profile: Permission denied -bash-3.00$ quit -bash: quit: command not found -bash-3.00$ exit logout -bash: /home/selke/.bash_logout: Permission denied During login I get several denied errors in /var/log/audit/audit.log: type=USER_AUTH msg=audit(1128961167.368:21): user pid=2815 uid=0 auid=4294967295 msg='PAM authentication: user=selke exe="/usr/sbin/sshd" (hostname=vpn6.mip.uni-hannover.de, addr=130.75.236.6, terminal=ssh result=Success)' type=USER_ACCT msg=audit(1128961167.384:22): user pid=2815 uid=0 auid=4294967295 msg='PAM accounting: user=selke exe="/usr/sbin/sshd" (hostname=vpn6.mip.uni-hannover.de, addr=130.75.236.6, terminal=ssh result=Success)' type=LOGIN msg=audit(1128961167.424:23): login pid=2819 uid=0 old auid=4294967295 new auid=10000 type=USER_START msg=audit(1128961167.424:24): user pid=2819 uid=0 auid=10000 msg='PAM session open: user=selke exe="/usr/sbin/sshd" (hostname=vpn6.mip.uni-hannover.de, addr=130.75.236.6, terminal=ssh result=Success)' type=CRED_REFR msg=audit(1128961167.428:25): user pid=2819 uid=0 auid=10000 msg='PAM setcred: user=selke exe="/usr/sbin/sshd" (hostname=vpn6.mip.uni-hannover.de, addr=130.75.236.6, terminal=ssh result=Success)' type=AVC msg=audit(1128961167.504:26): avc: denied { dac_override } for pid=1883 comm="rpc.gssd" capability=1 scontext=system_u:system_r:gssd_t tcontext=system_u:system_r:gssd_t tclass=capability type=AVC msg=audit(1128961167.504:26): avc: denied { dac_read_search } for pid=1883 comm="rpc.gssd" capability=2 scontext=system_u:system_r:gssd_t tcontext=system_u:system_r:gssd_t tclass=capability type=SYSCALL msg=audit(1128961167.504:26): arch=40000003 syscall=5 success=no exit=-13 a0=9c4afe0 a1=8000 a2=0 a3=8000 items=1 pid=1883 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="rpc.gssd" exe="/usr/sbin/rpc.gssd" type=CWD msg=audit(1128961167.504:26): cwd="/var/lib/nfs/rpc_pipefs/nfs" type=PATH msg=audit(1128961167.504:26): item=0 name="/tmp/krb5cc_10000_gyxwqn" flags=101 inode=6606226 dev=03:02 mode=0100600 ouid=10000 ogid=10000 rdev=00:00 (the last three messages are repeated several times) In permissive mode the Kerberos credentials cache file /tmp/krb5cc_10000_gyxwqn is created, but not in enforcing mode. In /var/log/messages I get: Oct 10 18:19:27 pupkin sshd(pam_unix)[2819]: session opened for user selke by (uid=0) Oct 10 18:19:27 pupkin rpc.gssd[1883]: WARNING: error from gss_acquire_cred for user with uid 10000 (Credentials cache permissions incorrect) Oct 10 18:19:27 pupkin rpc.gssd[1883]: WARNING: Failed to create krb5 context for user with uid 10000 for server obelix.thi.uni-hannover.de (the last two messages are repeated several times) If I switch to SELinux permissive mode then everything works fine. And (this is strange) it keeps working when I switch to enforcing mode, logoff and login again. But after reboot the problem occurs again. Version-Release number of selected component (if applicable): selinux-policy-targeted.noarch-1.27.1-2.3