Bug 1874527

Summary: /var/tmp/krb5_0.rcache2 is created with a wrong selinux context when krb5-API is used
Product: Red Hat Enterprise Linux 8 Reporter: Filip Dvorak <fdvorak>
Component: selinux-policyAssignee: Patrik Koncity <pkoncity>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.3CC: lvrabec, mmalik, pkoncity, plautrba, ssekidde, zpytela
Target Milestone: rcKeywords: Triaged
Target Release: 8.4   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-18 14:57:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Filip Dvorak 2020-09-01 14:40:15 UTC 
Description of problem:
The script (rctest [1]) in the TCMS test [2] uses krb5-API (krb5_mk_req_extended) to create several authentication requests (AS_REQ and TGS_REQ messages) and then to check if the replay cache has been created. The problem is that the replay cache /var/tmp/krb5_0.rcache2 has a wrong security context.
 
[1]http://pkgs.devel.redhat.com/cgit/tests/krb5/tree/Regression/regression-test-suite/testcases/bz714188-host_0-wrong-selinux-context.sh
[2]http://pkgs.devel.redhat.com/cgit/tests/krb5/tree/Regression/regression-test-suite

Version-Release number of selected component (if applicable):
RHEL 8.3
krb5-1.18.2-5.el8
selinux-policy-3.14.3-53.el8

How reproducible:
always

Steps to Reproduce:
1.Configure krb5 with some user and service principal
$krb5conf="/etc/krb5.conf"
$krb5REALM="TEST.REDHAT.COM"
$krb5kdcconf="/var/kerberos/krb5kdc/kdc.conf"

sed -i "s/\[libdefaults\]/[libdefaults]\n default_realm = $krb5REALM/" $krb5conf
sed -i "s/\[realms\]/[realms]\n $krb5REALM = {\n  kdc = $hostname \n  admin_server = $hostname\n }/" $krb5conf
sed -i "s/\[domain_realm\]/[domain_realm]\n .$(hostname -d) = $krb5REALM\n $(hostname -d) = $krb5REALM/" $krb5conf
sed -i 's/EXAMPLE.COM/$krb5REALM/' $krb5kdcconf
sed -i 's/*\/admin@EXAMPLE\.COM/krb5user@$krb5REALM/' /var/kerberos/krb5kdc/kadm5.acl

kdb5_util create -s -P $Passwd
systemctl start kadmin krb5kdc
kadmin.local -q "addprinc -pw Passwd krb5user
kadmin.local -q "addprinc -randkey host/$(hostname)"
kadmin.local -q "ktadd host/$(hostname)"

2. compile script [1]
   gcc -o rctest rctest.c `krb5-config --cflags --libs`

3. 
kinit krb5user
./rctest host/$(hostname)@$krb5REALM

Actual results:
# ll -Z  /var/tmp/krb5_0.rcache2 
-rw-------. 1 root root unconfined_u:object_r:user_tmp_t:s0 16368 Sep  1 10:12 /var/tmp/krb5_0.rcache2

Expected results:
ll -Z  /var/tmp/krb5_0.rcache2 
-rw-------. 1 root root unconfined_u:object_r:krb5_host_rcache_t:s0 16368 Sep  1 10:12 /var/tmp/krb5_0.rcache2
Comment 1 Zdenek Pytela 2020-09-01 15:22:36 UTC 
Filipe,

Could you please attach avc.log?
Comment 3 Zdenek Pytela 2020-09-03 10:56:23 UTC 
Filipe,

I haven't managed to find any AVCs in the logs, neither I succeeded with the reproducer steps.

I'd like to get some additional information:
- who is the user running the step 3 commands:
  $ id
- what is the context of the executable:
  $ ls -lZ rctest
- if the test is close to some real scenario or what are the conditions to trigger this issue.
Comment 7 Patrik Koncity 2021-02-05 08:14:28 UTC 
PR: https://github.com/fedora-selinux/selinux-policy/pull/562
Comment 19 errata-xmlrpc 2021-05-18 14:57:54 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:1639