Bug 479773

Summary:	NIS authentication fails with SELinux set to enforcing
Product:	[Fedora] Fedora	Reporter:	Andrew John Hughes <ahughes>
Component:	selinux-policy	Assignee:	Miroslav Grepl <mgrepl>
Status:	CLOSED CURRENTRELEASE	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	high	Docs Contact:
Priority:	low
Version:	10	CC:	dwalsh, jkubin, mgrepl, rdieter
Target Milestone:	---
Target Release:	---
Hardware:	x86_64
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2009-08-19 15:27:10 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	517000

Description Andrew John Hughes 2009-01-13 00:10:11 UTC

Description of problem:

selinux is preventing authentication via NIS.  Using su to become the user works fine, but login, either via the console, gdm or ssh fails.

$ ssh sam@gondor
Connection closed by 192.168.0.10

from audit.log:

type=USER_ACCT msg=audit(1231805174.212:45): user pid=3196 uid=0 auid=0 ses=2 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="sam" exe="/usr/sbin/sshd" (hostname=rivendell.middle-earth.co.uk, addr=192.168.0.1, terminal=ssh res=failed)'
type=USER_LOGIN msg=audit(1231805174.212:46): user pid=3196 uid=0 auid=0 ses=2 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='acct="sam": exe="/usr/sbin/sshd" (hostname=?, addr=192.168.0.1, terminal=sshd res=failed)'

# getsebool use_nfs_home_dirs
use_nfs_home_dirs --> on

# getsebool allow_ypbind
allow_ypbind --> on

# authconfig --test
caching is disabled
nss_files is always enabled
nss_compat is disabled
nss_db is disabled
nss_hesiod is disabled
 hesiod LHS = ""
 hesiod RHS = ""
nss_ldap is disabled
 LDAP+TLS is disabled
 LDAP server = "ldap://127.0.0.1/"
 LDAP base DN = "dc=example,dc=com"
nss_nis is enabled
 NIS server = "192.168.0.1"
 NIS domain = "middle-earth.co.uk"
nss_nisplus is disabled
nss_winbind is disabled
 SMB workgroup = "MYGROUP"
 SMB servers = ""
 SMB security = "user"
 SMB realm = ""
 Winbind template shell = "/bin/false"
 SMB idmap uid = "16777216-33554431"
 SMB idmap gid = "16777216-33554431"
nss_wins is disabled
DNS preference over NSS or WINS is disabled
pam_unix is always enabled
 shadow passwords are enabled
 password hashing algorithm is sha512
pam_krb5 is disabled
 krb5 realm = "EXAMPLE.COM"
 krb5 realm via dns is disabled
 krb5 kdc = "kerberos.example.com:88"
 krb5 kdc via dns is disabled
 krb5 admin server = "kerberos.example.com:749"
pam_ldap is disabled
 LDAP+TLS is disabled
 LDAP server = "ldap://127.0.0.1/"
 LDAP base DN = "dc=example,dc=com"
pam_pkcs11 is disabled
 use only smartcard for login is disabled
 smartcard module = "coolkey"
 smartcard removal action = "Ignore"
pam_smb_auth is disabled
 SMB workgroup = "MYGROUP"
 SMB servers = ""
pam_winbind is disabled
 SMB workgroup = "MYGROUP"
 SMB servers = ""
 SMB security = "user"
 SMB realm = ""
pam_cracklib is enabled (try_first_pass retry=3)
pam_passwdqc is disabled ()
pam_access is disabled ()
pam_mkhomedir is disabled ()
Always authorize local users is disabled ()
Authenticate system accounts against network services is disabled

Version-Release number of selected component (if applicable):

F10 (both with original install and now with latest updates)

How reproducible:

Attempt to login using account information stored on a remote NIS server.

Steps to Reproduce:
1. Enter NIS username + password
2.
3.
  
Actual results:
Login fails with correct username+password.

Expected results:
Login allowed.

Additional info:
This is clearly due to selinux as 'setenforce 0' or changing to permissive mode in /etc/selinux/config allows the login.

Comment 1 Daniel Walsh 2009-01-13 15:07:21 UTC

No AVC's reported.  Strange,  could you execute.

# semanage permissive -a sshd_t
# semodule -DB

And then try to ssh into the machine,  Then look for sshd avc messages.

Execute 
# semanage permissive -d sshd_t

When you are done.

Comment 2 Andrew John Hughes 2009-01-14 18:36:29 UTC

type=AVC msg=audit(1231958066.818:158): avc:  denied  { getattr } for  pid=4606 comm="unix_chkpwd" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:system_chkpwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=filesystem
type=AVC msg=audit(1231958066.818:159): avc:  denied  { search } for  pid=4606 comm="unix_chkpwd" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:system_chkpwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=dir
type=AVC msg=audit(1231958066.818:160): avc:  denied  { search } for  pid=4606 comm="unix_chkpwd" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:system_chkpwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=dir
type=AVC msg=audit(1231958066.819:161): avc:  denied  { name_bind } for  pid=4606 comm="unix_chkpwd" src=966 scontext=system_u:system_r:system_chkpwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket
type=AVC msg=audit(1231958066.819:162): avc:  denied  { name_bind } for  pid=4606 comm="unix_chkpwd" src=967 scontext=system_u:system_r:system_chkpwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket

Comment 3 Daniel Walsh 2009-01-14 19:59:10 UTC

If you create mynis.te to look like the following:


cat mynis.te
policy_module(mynis, 1.0)
gen_require(`
type system_chkpwd_t;
')
nis_authenticate(system_chkpwd_t)


Then execute
# make -f /usr/share/selinux/devel/Makefile
# semodule -i mynis.pp

Does nis work in enforcing mode?

Comment 4 Andrew John Hughes 2009-01-20 09:32:03 UTC

Yes.

Comment 5 Daniel Walsh 2009-01-20 15:53:40 UTC

Miroslav can you add this to F9 and F10 policy.

Comment 6 Miroslav Grepl 2009-01-21 12:35:04 UTC

Fixed in selinux-policy-3.5.13-40.fc10.noarch

Comment 7 Miroslav Grepl 2009-08-19 15:27:10 UTC

Closing all bugs that have been in modified for over a month.  Please reopen if
the bug is not actually fixed.