Bug 1838018

Summary: sshd cannot write into reply cache (/var/tmp/krb5_0.rcache2) due to security context
Product: [Fedora] Fedora Reporter: Filip Dvorak <fdvorak>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 32CC: abokovoy, dwalsh, grepl.miroslav, j, lvrabec, nalin, npmccallum, plautrba, rharwood, sbose, ssorce, vmojzis, zpytela
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.14.5-41.fc32 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-07-02 01:11:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Filip Dvorak 2020-05-20 11:30:06 UTC 
Description of problem:
After the installation of krb5 I added a new user into a krb5 db via the following command "kadmin -p root/admin -w password -q 'ank -pw password alice". The command finished successfully and the reply cache file was created. The problem is that this file had security context: system_u:object_r:kadmind_tmp_t:s0. This is a problem when the ssh via krb5-GSSAPI is used because sshd service cannot write into this file.  

Version-Release number of selected component (if applicable):
krb5-1.18-1.fc32.x86_64

How reproducible:
always

Steps to Reproduce:
1. Install and configure krb5kdc and kadmin

hostnamectl set-hostname kerberos.example.com
sed -i "1i 127.0.0.1 kerberos.example.com" /etc/hosts
echo -ne '[realms]\nEXAMPLE.COM = {\n    kdc = kerberos.example.com\n    admin_server = kerberos.example.com\n}\n\n[domain_realm]\n.example.com = EXAMPLE.COM\nexample.com = example.com\n' > /etc/krb5.conf.d/example_com
sed -i "s/^# default_realm/ default_realm/" /etc/krb5.conf
echo -ne "passwd\npasswd\n" | kdb5_util create -s
systemctl start krb5kdc kadmin
 
2.kadmin.local -r EXAMPLE.COM -q "addprinc -pw passwd root/admin"
3.kadmin -p root/admin -w password -q 'ank -pw password alice'

Actual results:
# kinit alice
Password for alice: 

ssh alice.com pwd
alice.com's password: 


Expected results:
# kinit alice
Password for alice: 

# ssh alice.com pwd
/home/alice


Additional info:
#ll -Z /var/tmp/krb5_0.rcache2 
-rw-------. 1 root root system_u:object_r:kadmind_tmp_t:s0 3328 May 20 07:22 /var/tmp/krb5_0.rcache2

AVC message:
time->Wed May 20 06:50:45 2020
type=AVC msg=audit(1589971845.880:557): avc:  denied  { write } for  pid=16961 comm="sshd" name="krb5_0.rcache2" dev="vda1" ino=831 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:kadmind_tmp_t:s0 tclass=file permissive=0
Comment 4 Zdenek Pytela 2020-06-11 08:30:56 UTC 
I've submitted two Fedora PRs to address the issue:
https://github.com/fedora-selinux/selinux-policy-contrib/pull/263
https://github.com/fedora-selinux/selinux-policy/pull/373
Comment 5 Zdenek Pytela 2020-06-11 09:59:45 UTC 
F32 commits:
commit 9f169ec424c26617b7b113754c4300d3ce5278e2 (HEAD -> f32, upstream/f32, origin/f32)
Author: Zdenek Pytela <zpytela>
Date:   Thu Jun 11 10:22:40 2020 +0200

    Create the kerberos_write_kadmind_tmp_files() interface
    
    Related: rhbz#1838018

commit 74c1a0656a1a7468befd1a10f24204106c316900 (HEAD -> f32, upstream/f32, origin/f32)
Author: Zdenek Pytela <zpytela>
Date:   Thu Jun 11 10:27:38 2020 +0200

    Allow sshd write to kadmind temporary files
    
    Resolves: rhbz#1838018
Comment 6 Fedora Update System 2020-06-24 11:33:09 UTC 
FEDORA-2020-5c374f680a has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-5c374f680a
Comment 7 Fedora Update System 2020-06-25 01:03:39 UTC 
FEDORA-2020-5c374f680a has been pushed to the Fedora 32 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-5c374f680a`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-5c374f680a

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 8 Fedora Update System 2020-07-02 01:11:54 UTC 
FEDORA-2020-5c374f680a has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.