Bug 503061
| Summary: | SELinux is preventing login (local_login_t) "getattr" krb5_host_rcache_t | |||
|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Tim Scofield <twscofi> | |
| Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> | |
| Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | low | |||
| Version: | rawhide | CC: | dwalsh, mgrepl, nalin | |
| Target Milestone: | --- | |||
| Target Release: | --- | |||
| Hardware: | x86_64 | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | Bug Fix | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 505408 (view as bug list) | Environment: | ||
| Last Closed: | 2009-06-01 20:25:18 UTC | Type: | --- | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
|
Description
Tim Scofield
2009-05-28 15:44:38 UTC
Similar problems with gdm and presumably kdm based logins, and any other window manager that handles logins. Summary: SELinux is preventing gdm-session-wor (xdm_t) "getattr" krb5_host_rcache_t. Detailed Description: SELinux denied access requested by gdm-session-wor. It is not expected that this access is required by gdm-session-wor and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:krb5_host_rcache_t:s0 Target Objects /var/tmp/host_0 [ file ] Source gdm-session-wor Source Path /usr/libexec/gdm-session-worker Port <Unknown> Host hostname.deleted Source RPM Packages gdm-2.26.1-10.fc11 Target RPM Packages Policy RPM selinux-policy-3.6.12-39.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name hostname.deleted Platform Linux hostname.deleted 2.6.29.3-155.fc11.x86_64 #1 SMP Wed May 20 17:43:16 EDT 2009 x86_64 x86_64 Alert Count 6 First Seen Thu May 28 08:17:20 2009 Last Seen Thu May 28 10:48:15 2009 Local ID 7a152a38-018e-44ab-ba28-a99542784c07 Line Numbers Raw Audit Messages node=hostname.deleted type=AVC msg=audit(1243529295.299:479): avc: denied { ge tattr } for pid=8947 comm="gdm-session-wor" path="/var/tmp/host_0" dev=dm-0 ino =278520 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object _r:krb5_host_rcache_t:s0 tclass=file node=hostname.deleted type=SYSCALL msg=audit(1243529295.299:479): arch=c000003e syscall=4 success=no exit=-13 a0=17cafe0 a1=7fff77472cb0 a2=7fff77472cb0 a3=10 i tems=0 ppid=8819 pid=8947 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid =0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gdm-session-wor" exe="/usr/lib exec/gdm-session-worker" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) Nalin do the login files need more access then just gettattr? Fixed in selinux-policy-3.6.12-44.fc11 (In reply to comment #2) > Nalin do the login files need more access then just gettattr? Most likely, yes. Credential verification uses the same code paths that a networked server uses when acting as the server half of a Kerberos-authenticated session, and part of that function is to use the replay cache. Do they need read or the ability to create the replay cache? Yes, they need to be able to create and read/write the files. Tested selinux-policy-3.6.12-44.fc11 Login/gdm/kdm now work for kerberos authentication. Marked bug as closed/rawhide |