Bug 501107
Summary: | AVC when sshd tries to read /root/.k5login | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Enrico Scholz <rh-bugzilla> |
Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | 11 | CC: | dwalsh, jkubin, mgrepl, mmalik, nalin |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2009-11-18 13:09:38 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Enrico Scholz
2009-05-16 12:12:24 UTC
Try this chcon -t krb5_conf_t /root/.k5login I am thinking of adding HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_conf_t,s0) /root/\.k5login -- gen_context(system_u:object_r:krb5_conf_t,s0) Or adding a new type for kerberos. Nalin what do you think? krb5_home_t? I can login after doing the 'chcon'. Btw, ~/.rhosts should be handled in a similar way. (In reply to comment #1) > Try this > > chcon -t krb5_conf_t /root/.k5login > > I am thinking of adding > > HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_conf_t,s0) > /root/\.k5login -- gen_context(system_u:object_r:krb5_conf_t,s0) > > Or adding a new type for kerberos. > > Nalin what do you think? Marking ~/.k5login as readable (not writable, there's no need for that) by sshd sounds right to me. I like krb5_conf_t because it's already established that everybody can read that, but another label with that effect is fine, too. If we want to lock it down tighter later, we'll have to enumerate the confined daemons like ftpd and telnetd that also need to read the file, and we'll have to figure out what to do with ksu. I am adding krb5_home_t and rlogind_home_t to label these files. Then I am allowing sshd, rlogind_t, rcpd_t rshd_t to read them Fixed in selinux-policy-3.6.12-38.fc11 This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle. Changing version to '11'. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping |