Bug 598646
| Summary: | Targeted policy - Kerberos ticket cache access by winbind, gss is broken. | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | Aleksey Nogin <aleksey> | ||||
| Component: | selinux-policy-targeted | Assignee: | Miroslav Grepl <mgrepl> | ||||
| Status: | CLOSED ERRATA | QA Contact: | BaseOS QE Security Team <qe-baseos-security> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | low | ||||||
| Version: | 5.5 | CC: | dwalsh, gdeschner, jrieden, ksrot, steved | ||||
| Target Milestone: | rc | ||||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: |
When a system was configured to use winbind for authentication using the "winbind refresh tickets = true" configuration option, several issues may have occurred, preventing this configuration from working properly. This update fixes the SELinux rules for winbind, so that the above configuration works as expected.
|
Story Points: | --- | ||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2011-01-13 21:49:47 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
I am thinking winbind should be creating user_tmp_t files for kerberos credential cache. I have made this change to Rawhide and if it looks stable we should change RHEL5 and RHEL6 Fixed in selinux-policy-2.4.6-285.el5.noarch
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
New Contents:
When a system was configured to use winbind for authentication using the "winbind refresh tickets = true" configuration option, several issues may have occurred, preventing this configuration from working properly. This update fixes the SELinux rules for winbind, so that the above configuration works as expected.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0026.html |
Created attachment 418777 [details] sealert outputs for the 4 denials, with comments (prefixed with "#") I am running a system that is setup to use winbind for authentication with "winbind refresh tickets = true". I am seeing the following set of problems (see the attachment for the sealert output): 1) If a ticket is created by kinit, it is labeled tmp_t and winbindd can not access it - the audit2allow output is "allow winbind_t tmp_t:file { read write };". IMHO the access should be allowed, at least when allow_kerberos boolean is on. 2) If a ticket is created by winbind, it is labeled winbind_tmp_t, and then rpc.gssd can not read it - the audit2allow output is "allow gssd_t winbind_tmp_t:file read;". Note - the allow_gssd_read_tmp boolean is on, but as far as I can tell, it only allows access to tmp_t and *not* to winbind_tmp_t. IMHO when allow_gssd_read_tmp boolean is on, the access should be allowed. P.S. Both problems go away if winbind_disable_trans turned on, then new issues appear due to /var/run/winbindd/pipe now being labeled initrc_t: 3) nscd being prohibited from connecting to /var/run/winbindd/pipe. 4) genhomedircon being prohibited from connecting to /var/run/winbindd/pipe. IMHO this is a wrong approach - although may be it could be made work with some changes. As stated above, I believe that the right solution is to allow (at least under appropriate boolean var settings) the first two accesses. An alternative perhaps is to have the kerberos cache files have their own label - this may be a good idea for long-term (and would probably best when combined with moving the Kerberos cache out of /tmp - perhaps they should be in /var/run/krb or something like that), but this is probably too disruptive to introduce into RHEL 5.