Bug 501107

Summary: AVC when sshd tries to read /root/.k5login
Product: [Fedora] Fedora Reporter: Enrico Scholz <rh-bugzilla>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 11CC: dwalsh, jkubin, mgrepl, mmalik, nalin
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-11-18 13:09:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Enrico Scholz 2009-05-16 12:12:24 UTC 
Description of problem:

When SSH is configured for GSSAPIAuthentication, login fails due to

| type=1400 audit(1242475854.460:1685): avc:  denied  { read } for  pid=2881 comm="sshd" name=".k5login" dev=sda1 ino=93471 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=file
| type=1400 audit(1242475854.462:1686): avc:  denied  { open } for  pid=2881 comm="sshd" name=".k5login" dev=sda1 ino=93471 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=file
| type=1400 audit(1242475854.463:1687): avc:  denied  { getattr } for  pid=2881 comm="sshd" path="/root/.k5login" dev=sda1 ino=93471 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=file

AVCs.  Reading ~/.k5login is required for this kind of operation.


Version-Release number of selected component (if applicable):

selinux-policy-targeted-3.6.12-34.fc11.noarch
openssh-server-5.2p1-2.fc11.x86_64
Comment 1 Daniel Walsh 2009-05-16 12:26:16 UTC 
Try this 

chcon -t krb5_conf_t /root/.k5login

I am thinking of adding

HOME_DIR/\.k5login		--	gen_context(system_u:object_r:krb5_conf_t,s0)
/root/\.k5login			--	gen_context(system_u:object_r:krb5_conf_t,s0)

Or adding a new type for kerberos.

Nalin what do you think?

krb5_home_t?
Comment 2 Enrico Scholz 2009-05-16 13:07:28 UTC 
I can login after doing the 'chcon'.

Btw, ~/.rhosts should be handled in a similar way.
Comment 3 Nalin Dahyabhai 2009-05-18 16:38:21 UTC 
(In reply to comment #1)
> Try this 
> 
> chcon -t krb5_conf_t /root/.k5login
> 
> I am thinking of adding
> 
> HOME_DIR/\.k5login  -- gen_context(system_u:object_r:krb5_conf_t,s0)
> /root/\.k5login   -- gen_context(system_u:object_r:krb5_conf_t,s0)
> 
> Or adding a new type for kerberos.
> 
> Nalin what do you think?

Marking ~/.k5login as readable (not writable, there's no need for that) by sshd sounds right to me.  I like krb5_conf_t because it's already established that everybody can read that, but another label with that effect is fine, too.

If we want to lock it down tighter later, we'll have to enumerate the confined daemons like ftpd and telnetd that also need to read the file, and we'll have to figure out what to do with ksu.
Comment 4 Daniel Walsh 2009-05-18 17:02:26 UTC 
I am adding krb5_home_t and rlogind_home_t to label these files.

Then I am allowing sshd, rlogind_t, rcpd_t rshd_t to read them

Fixed in selinux-policy-3.6.12-38.fc11
Comment 5 Bug Zapper 2009-06-09 15:55:31 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle.
Changing version to '11'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping