Bug 684451

Summary: SELinux is preventing /usr/kerberos/sbin/login.krb5 from read, write access on the file krb5cc_p32165.
Product: [Fedora] Fedora Reporter: Russell King <rmk>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 14CC: dwalsh, mgrepl, nalin, ssorce
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:f7152ffcf5a5f193f151dd4a323f9d6c0c6714a21b5eaa2977f03629b888e5a4
Fixed In Version: selinux-policy-3.9.7-37.fc14 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-03-22 18:52:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Russell King 2011-03-12 17:40:57 UTC 
SELinux is preventing /usr/kerberos/sbin/login.krb5 from read, write access on the file krb5cc_p32165.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that login.krb5 should be allowed read write access on the krb5cc_p32165 file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep login.krb5 /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:remote_login_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:user_tmp_t:s0
Target Objects                krb5cc_p32165 [ file ]
Source                        login.krb5
Source Path                   /usr/kerberos/sbin/login.krb5
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           krb5-appl-servers-1.0.1-3.fc14.1
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.7-31.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 2.6.37.3+ #1 SMP Tue
                              Mar 8 20:44:41 GMT 2011 i686 i686
Alert Count                   1
First Seen                    Fri 11 Mar 2011 08:33:57 AM GMT
Last Seen                     Fri 11 Mar 2011 08:33:57 AM GMT
Local ID                      b6dedb78-101d-468e-b6c6-7b3a78bbb35e

Raw Audit Messages
type=AVC msg=audit(1299832437.565:24977): avc:  denied  { read write } for  pid=32165 comm="login.krb5" name="krb5cc_p32165" dev=sda5 ino=9723 scontext=system_u:system_r:remote_login_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file


type=SYSCALL msg=audit(1299832437.565:24977): arch=i386 syscall=open success=no exit=EACCES a0=b9373498 a1=2 a2=bf9f9e28 a3=2 items=0 ppid=32163 pid=32165 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=19 comm=login.krb5 exe=/usr/kerberos/sbin/login.krb5 subj=system_u:system_r:remote_login_t:s0-s0:c0.c1023 key=(null)

Hash: login.krb5,remote_login_t,user_tmp_t,file,read,write

audit2allow

#============= remote_login_t ==============
allow remote_login_t user_tmp_t:file { read write };

audit2allow -R

#============= remote_login_t ==============
allow remote_login_t user_tmp_t:file { read write };
Comment 1 Daniel Walsh 2011-03-14 19:35:02 UTC 
Did the credential cache file get created?

Strange that we do not see an open or create avc here?
Comment 2 Russell King 2011-03-15 21:08:04 UTC 
Upon logging in as 'rmk':

rmk@flint:[~]:<1045> kinit -f
Password for rmk.ORG.UK: 
rmk@flint:[~]:<1046> krsh -f rmk-PC
This rlogin session is encrypting all data transmissions.
Last login: Tue Mar 15 08:45:06 from brick
rmk@rmk-PC:[~]:<755> echo $KRB5CCNAME
FILE:/tmp/krb5cc_p11867
rmk@rmk-PC:[~]:<756> vdir /tmp/krb5cc_p11867 
-rw-------. 1 root root 485 Mar 15 21:05 /tmp/krb5cc_p11867

So yes, it is created, but with root permissions.  This means that the cache can't be used:

rmk@rmk-PC:[~]:<758> kinit -R
kinit: Credentials cache permissions incorrect while renewing credentials
rmk@rmk-PC:[~]:<759> krsh -f flint
rmk@rmk-PC:[~]:<760> krlogin flint

and kerberos utilities silently fail.
Comment 3 Daniel Walsh 2011-03-15 21:36:18 UTC 
Miroslav can you add

userdom_rw_user_tmp_files(remote_login_t)
Comment 4 Miroslav Grepl 2011-03-18 12:35:43 UTC 
Fixed in selinux-policy-3.9.7-34.fc14
Comment 5 Fedora Update System 2011-03-18 15:07:54 UTC 
selinux-policy-3.9.7-34.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-34.fc14
Comment 6 Fedora Update System 2011-03-21 08:45:50 UTC 
selinux-policy-3.9.7-37.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-37.fc14
Comment 7 Fedora Update System 2011-03-22 18:51:27 UTC 
selinux-policy-3.9.7-37.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.