Bug 174828

Summary: rsh and netgroups
Product: [Fedora] Fedora Reporter: Dimitri Papadopoulos <dimitri.papadopoulos>
Component: selinux-policy-targetedAssignee: Russell Coker <rcoker>
Status: CLOSED NEXTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 4   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-01-11 22:16:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
/var/log/messages in permissive mode
none
/var/log/messages in enforcing mode
none
relevant part of /var/log/audit/audit.log none

Description Dimitri Papadopoulos 2005-12-02 15:57:11 UTC 
Description of problem:
The default SELinux policy for FC4 breaks use of rsh with netgroups.
We run NIS. All our workstations are part of netgroup 'shfj':
	$ ypcat -k netgroup
	[...]
	shfj [...] (foobar,,) [...]
	[...]
	$ cat /etc/hosts.equiv
	#localhost
	+@shfj
We also have a special account (let's call this account 'special') and a
netgroup of users called 'special_users':
	$ ypcat -k netgroup
	[...]
	special_users (,dimitri,) [...]
	[...]
Members of this 'special_users' group may log into account 'special' without
password:
	special@localhost $ cat ~/.rhosts
	+@special_users  +@special_users
We have enabled rsh on our FC4 workstations and added 'promiscuous' so that
netgroups can be taken into account:
	$ cat /etc/xinetd.d/rsh
	[...]
	#       disable                 = yes
	[...]
	$ cat /etc/pam.d/rsh
	[...]
	auth       required     pam_rhosts_auth.so promiscuous
	[...]
When not in enforcing mode rsh works as expected, it doesn't ask for a password
when trying to rsh as user 'special':
	# setenforce 0
	dimitri@foobar $ rsh localhost -l special
	special@foobar $ 
It does prompt for the 'special' account password in enforcing mode:
	# setenforce 1
	dimitri@foobar $ rsh localhost -l special
	Password: 
Users shouldn't be prompted for a password.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.27.1-2.14

How reproducible:
Always
Comment 1 Dimitri Papadopoulos 2005-12-02 16:02:17 UTC 
Created attachment 121759 [details]
/var/log/messages in permissive mode
Comment 2 Dimitri Papadopoulos 2005-12-02 16:04:08 UTC 
Created attachment 121760 [details]
/var/log/messages in enforcing mode
Comment 3 Daniel Walsh 2005-12-06 16:02:33 UTC 
Could you attach /var/log/audit/audit.log avc messages?
Comment 4 Dimitri Papadopoulos 2005-12-07 10:59:00 UTC 
Created attachment 121965 [details]
relevant part of /var/log/audit/audit.log

For what it's worth, note that /usr/local (hence /usr/local/.rhosts) is not a
local filesystem. /usr/local is exported by an IRIX NFS server and NFS-mounted.