Bug 378941

Summary: selinux blocks incoming ssh with Kerberos password supplied
Product: [Fedora] Fedora Reporter: Danny Padwa <daniel.padwa>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: low    
Version: 8CC: k.georgiou
Target Milestone: ---Keywords: SELinux
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Current Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-11-16 14:07:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Danny Padwa 2007-11-12 22:17:33 UTC 
Description of problem:
Incoming ssh connections fail if they supply a Kerberos password.   Works fine
if it uses ssh keys or local passwords.   /var/log/messages shows that ssh
segfaulted and blames selinux

Version-Release number of selected component (if applicable):
selinux-policy-3.0.8-47.fc8
selinux-policy-targeted-3.0.8-47.fc8
openssh-server-4.7p1-2.fc8


How reproducible:
Very

Steps to Reproduce:
1.  Set up local user with both Kerberos and local passwords (distinct)
2.  ssh in without a client credential - provide local pw, everything works
3.  ssh in without a client credential - provide kerberos pw, things break
  
Actual results:
Nov 12 17:06:14 padwad-fc8v0 kernel: sshd[6909]: segfault at ffffffff eip
004fd3be esp bf905bf8 error 6
Nov 12 17:06:16 padwad-fc8v0 setroubleshoot: #012    SELinux is preventing
/usr/sbin/sshd (sshd_t) "read write" to /SYSV00000000 (deleted) (tmpfs_t).#012 
   For complete SELinux messages. run sealert -l
589f169e-fd37-4262-a980-af208051c28d
Nov 12 17:06:56 padwad-fc8v0 kernel: sshd[7214]: segfault at ffffffff eip
004fd3be esp bfa55548 error 6
Nov 12 17:06:58 padwad-fc8v0 setroubleshoot: #012    SELinux is preventing
/usr/sbin/sshd (sshd_t) "read write" to /SYSV00000000 (deleted) (tmpfs_t).#012 
   For complete SELinux messages. run sealert -l
589f169e-fd37-4262-a980-af208051c28d


Expected results:
Things should work

Additional info:
There are two problems here:
- selinux should have a proper policy for sshd
- sshd should not segv in the face of selinux rejections
Comment 1 Danny Padwa 2007-11-12 22:18:57 UTC 
I can give you fuller debug logs if needed.
Comment 2 Danny Padwa 2007-11-12 22:29:18 UTC 
Looks like this is the local kerberos credential cache that is getting created 
inside of the Kerberos library.  sshd needs to be able to write a file in /tmp 
for kerberos purposes - if selinux is blocking that, it would be a Bad Thing.
Comment 3 Daniel Walsh 2007-11-12 22:49:26 UTC 
Fixed in selinux-policy-3.0.8-53.fc8
Comment 4 Kostas Georgiou 2007-11-16 01:18:37 UTC 
I just tested with selinux-policy-3.0.8-56.fc8 and sshd works now.