Bug 624784

Summary: SSSD: Krb authentications fail when credential cache directory created on per user basis
Product: Red Hat Enterprise Linux 6 Reporter: Jenny Severance <jgalipea>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CURRENTRELEASE QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact:
Priority: urgent    
Version: 6.0CC: antillon.maurizio, dwalsh, grajaiya, jgalipea, mmalik, sgallagh, syeghiay
Target Milestone: rcKeywords: RHELNAK
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-40.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-11-10 21:36:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 579775    

Description Jenny Severance 2010-08-17 19:02:08 UTC
Description of problem:
Configuration for kerberos authentications include the ability to set the kerberos cache directory on a per user basis .. 
example:
krb5_ccachedir = /tmp/krb5_cache_%u  (%u = userid)

Each user that logs in gets their own directory created which is working fine, however upon authentication the cache file fails to be created and authentications fail with this configuration.

Version-Release number of selected component (if applicable):
sssd-1.3.0-0.2010080418gitd317aee.fc13.i686

How reproducible:
always

Steps to Reproduce:
1. Example /etc/sssd/sssd.conf

[sssd]
config_file_version = 2
domains = ldap
sbus_timeout = 30
services = nss, pam
debug_level = 9

[nss]
filter_groups = root
filter_users = root

[pam]
reconnection_retries = 3

[domain/ldap]
ldap_search_base = dc=example,dc=com
id_provider = ldap
debug_level = 9
mid_id = 1000
ldap_uri = ldaps://sssd-rhds.idm.lab.bos.redhat.com:636
ldaps_tls_cacertdir = /etc/openldap/cacerts
ldap_tls_cacert = /etc/openldap/cacerts/cacert.asc
enumerate = True

auth_provider = krb5
krb5_kdcip = wiki.idm.lab.bos.redhat.com
krb5_realm = EXAMPLE.COM
chpass_provider = krb5
cache_credentials = True
krb5_ccachedir = /tmp/krb5_cache_%u
krb5_ccname_template = FILE:%d/krb5cc_%u

2. 
3.
  
Actual results:
authentications fail and no cache file created

Expected results:
Successful authentication

Cache file created ...
/tmp/krb5_cache_<userid>/krb5cc_<userid>

Additional info:

Comment 1 Jenny Severance 2010-08-17 19:02:49 UTC
Set SELinux to permissive -  and authentication is successful and cache file created.

Comment 3 RHEL Program Management 2010-08-17 19:18:10 UTC
This issue has been proposed when we are only considering blocker
issues in the current Red Hat Enterprise Linux release.

** If you would still like this issue considered for the current
release, ask your support representative to file as a blocker on
your behalf. Otherwise ask that it be considered for the next
Red Hat Enterprise Linux release. **

Comment 4 Stephen Gallagher 2010-08-17 19:20:12 UTC
Summary:

SELinux is preventing /usr/libexec/sssd/sssd_be "chown" access .

Detailed Description:

[SELinux is in permissive mode. This access was not denied.]

SELinux denied access requested by sssd_be. It is not expected that this access
is required by sssd_be and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                unconfined_u:system_r:sssd_t:s0
Target Context                unconfined_u:system_r:sssd_t:s0
Target Objects                None [ capability ]
Source                        sssd_be
Source Path                   /usr/libexec/sssd/sssd_be
Port                          <Unknown>
Host                          sgallagh.bos.redhat.com
Source RPM Packages           sssd-1.3.90-0.fc13
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-47.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Plugin Name                   catchall
Host Name                     sgallagh.bos.redhat.com
Platform                      Linux sgallagh.bos.redhat.com
                              2.6.33.6-147.2.4.fc13.x86_64 #1 SMP Fri Jul 23
                              17:14:44 UTC 2010 x86_64 x86_64
Alert Count                   1
First Seen                    Tue 17 Aug 2010 02:08:04 PM EDT
Last Seen                     Tue 17 Aug 2010 02:08:04 PM EDT
Local ID                      e9a5e9ea-8c77-4be3-9306-3af6f1c1a95b
Line Numbers                  

Raw Audit Messages            

node=sgallagh.bos.redhat.com type=AVC msg=audit(1282068484.991:29227): avc:  denied  { chown } for  pid=2285 comm="sssd_be" capability=0  scontext=unconfined_u:system_r:sssd_t:s0 tcontext=unconfined_u:system_r:sssd_t:s0 tclass=capability

node=sgallagh.bos.redhat.com type=SYSCALL msg=audit(1282068484.991:29227): arch=c000003e syscall=92 success=yes exit=0 a0=19af1b0 a1=32f1 a2=32f1 a3=69 items=0 ppid=2283 pid=2285 auid=13041 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="sssd_be" exe="/usr/libexec/sssd/sssd_be" subj=unconfined_u:system_r:sssd_t:s0 key=(null)

Comment 5 Daniel Walsh 2010-08-18 11:06:32 UTC
Miroslav add 

allow sssd_t self:capability { chown dac_read_search dac_override kill sys_nice setgid setuid };

Steven do you think you need any other capabilities?

Comment 6 Miroslav Grepl 2010-08-18 11:09:18 UTC
I am adding it.

Comment 7 Stephen Gallagher 2010-08-18 11:58:24 UTC
Confirmed, chown is the only missing capability for this functionality.

Comment 9 Miroslav Grepl 2010-08-18 15:33:05 UTC
Fixed in selinux-policy-3.7.19-40.el6.noarch

Comment 12 releng-rhel@redhat.com 2010-11-10 21:36:28 UTC
Red Hat Enterprise Linux 6.0 is now available and should resolve
the problem described in this bug report. This report is therefore being closed
with a resolution of CURRENTRELEASE. You may reopen this bug report if the
solution does not work for you.