Bug 485988

Summary: SELinux prevents sshd/pam_krb5 from attaching to shared memory segments
Product: [Fedora] Fedora Reporter: Ben Webb <ben>
Component: selinux-policy-targetedAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CURRENTRELEASE QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: low    
Version: 10   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-11-18 11:26:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ben Webb 2009-02-17 19:36:29 UTC 
Description of problem:
We have sshd set up on our systems to authenticate against our Kerberos infrastructure (using pam_krb5). So users logging in to our systems will either already have a Kerberos token (in which case they will get in without being prompted for their passphrase again) or they will be prompted for their passphrase which will then be used to get a Kerberos token on the server.

Since F10, we get errors in the logs every time a user logs in with a passphrase. SELinux appears to be preventing sshd from attaching to a shared memory segment. Logins do, however, appear to complete successfully.

Version-Release number of selected component (if applicable):
openssh-server-5.1p1-3.fc10.x86_64
selinux-policy-targeted-3.5.13-44.fc10.noarch
pam_krb5-2.3.2-1.fc10.x86_64


How reproducible:
Always.


Steps to Reproduce:
1. kinit; ssh myserver
2. kdestroy; ssh myserver
  
Actual results:
Successful login to myserver both times - (1) without a passphrase, (2) with a prompt for a passphrase. But with (2) we see the following in /var/log/messages on myserver:
Feb 17 11:15:56 myserver kernel: type=1400 audit(1234898156.978:51): avc:  denied  { read write } for  pid=24208 comm="sshd" path=2F535953563030303030303030202864656C6574656429 dev=tmpfs ino=14385156 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file
Feb 17 11:15:56 myserver kernel: type=1400 audit(1234898156.979:52): avc:  denied  { read write } for  pid=24208 comm="sshd" path=2F535953563030303030303030202864656C6574656429 dev=tmpfs ino=14417924 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file

and in /var/log/secure we see:
Feb 17 11:15:56 myserver sshd[24208]: pam_krb5[24208]: failed to attach to shmem segment 14385156
Feb 17 11:15:56 myserver sshd[24208]: pam_krb5[24208]: error saving v5 credential state to shared memory segment
Feb 17 11:15:56 myserver sshd[24208]: pam_krb5[24208]: failed to attach to shmem segment 14417924
Feb 17 11:15:56 myserver sshd[24208]: pam_krb5[24208]: error saving v4 credential state to shared memory segment

For (1) we don't see either set of errors.


Expected results:
Logging in with a passphrase (2) should work in exactly the same as with a Kerberos token (1), with no errors reported in the system logs.

Additional info:
On other F10 system that has SELinux disabled, we don't see either the AVCs (obviously) or the pam_krb5 shmem errors with either login method.
Comment 1 Miroslav Grepl 2009-02-18 08:39:49 UTC 
Fixed in selinux-policy-3.5.13-45.fc10
Comment 2 Bug Zapper 2009-11-18 11:07:57 UTC 
This message is a reminder that Fedora 10 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 10.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '10'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 10's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 10 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping