Bug 1877044

Summary:	kprop create var/tmp/krb5_0.rcache2 with a wrong selinux context
Product:	Red Hat Enterprise Linux 8	Reporter:	Filip Dvorak <fdvorak>
Component:	selinux-policy	Assignee:	Patrik Koncity <pkoncity>
Status:	CLOSED ERRATA	QA Contact:	Milos Malik <mmalik>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	8.3	CC:	lvrabec, mmalik, pkoncity, plautrba, ssekidde, zpytela
Target Milestone:	rc	Keywords:	Triaged
Target Release:	8.4	Flags:	pm-rhel: mirror+
Hardware:	Unspecified
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	No Doc Update
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2021-05-18 14:57:54 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Filip Dvorak 2020-09-08 18:25:37 UTC

Description of problem:
The kprop (kprop is used to securely propagate a Kerberos V5 database dump file) command creates /var/tmp/krb5_0.rcache2 with a wrong context.

Version-Release number of selected component (if applicable):
RHEL-8.3
selinux-policy-targeted-3.14.3-53.el8.noarch
krb5-libs-1.18.2-5.el8

How reproducible:
always

Steps to Reproduce:
1.Configure krb5 server on PC1
sed -i "s/\[libdefaults\]/[libdefaults]\n default_realm = REDHAT.COM/" /etc/krb5.conf
sed -i "s/\[realms\]/[realms]\n REDHAT.COM = {\n  kdc = $(hostname) \n  admin_server = $(hostname)\n }/" /etc/krb5.conf
sed -i "s/\[domain_realm\]/[domain_realm]\n .$(hostname -d) = REDHAT.COM\n $(hostname -d) = REDHAT.COM/" /etc/krb5.conf
sed -i 's/EXAMPLE.COM/REDHAT.COM/' /var/kerberos/krb5kdc/kdc.conf
sed -i 's/EXAMPLE\.COM/REDHAT.COM/' /var/kerberos/krb5kdc/kadm5.acl

add IP and hostname of PC2 into /etc/hosts

kdb5_util create -s -P passwd
systemctl start kadmin krb5kdc
kadmin.local -q "addprinc -pw bob bob/admin
kadmin.local -q "addprinc -randkey host/$(hostname)"
kadmin.local -q "ktadd host/$(hostname)"
kdb5_util dump /var/kerberos/krb5kdc/replica_datatrans

2.Configure krb5 client on PC2
sed -i "s/\[libdefaults\]/[libdefaults]\n default_realm = REDHAT.COM/" /etc/krb5.conf
sed -i "s/\[realms\]/[realms]\n REDHAT.COM = {\n  kdc = $hostname_PC1 \n  admin_server = hostname_PC1\n }/" /etc/krb5.conf
sed -i "s/\[domain_realm\]/[domain_realm]\n .$(hostname -d) = REDHAT.COM\n $(hostname -d) = REDHAT.COM/" /etc/krb5.conf
sed -i 's/EXAMPLE.COM/REDHAT.COM/' /var/kerberos/krb5kdc/kdc.conf
sed -i 's/EXAMPLE\.COM/REDHAT.COM/' /var/kerberos/krb5kdc/kadm5.acl

add IP and hostname of PC1 into /etc/hosts

kadmin -p bob/admin -w bob -q "addprinc -randkey host/$(hostname)"
kadmin -p bob/admin -w bob -q "ktadd host/$(hostname)@REDHAT.COM"
echo "host/$hostname_PC1" > /var/kerberos/krb5kdc/kpropd.acl
service kprop start

3.
PC1
kprop $hostname_PC2

Actual results
PC2:
# ll -Z /var/tmp/
-rw-------. 1 root root system_u:object_r:krb5kdc_tmp_t:s0 3920 Sep  8 12:48 krb5_0.rcache2

Expected results:
-rw-------. 1 root root system_u:object_r:krb5_host_rcache_t:s0 2176 Sep  8 12:43 krb5_0.rcache2

Comment 1 Zdenek Pytela 2020-09-09 07:14:18 UTC

Filipe,

Solution for thiz bz will somehow clash with the generic solution of bz#1874527 as there already is an unnamed transition:

files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir })

I suppose kpropd uses tmp files/dirs for other reasons than rcache, too; is the filename predictable in these cases?

Comment 4 Patrik Koncity 2021-02-05 08:14:42 UTC

PR: https://github.com/fedora-selinux/selinux-policy/pull/562

Comment 15 errata-xmlrpc 2021-05-18 14:57:54 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:1639