Bug 690466

restorecon -R -v /home

Looks like you have a labeling problem.  .k5login should not be labeled home_root_t.

[root@rhel6-1 ~]# restorecon -R -v /home
...
restorecon reset /home/puser1 context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:user_home_dir_t:s0
restorecon reset /home/puser1/.k5login context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:krb5_home_t:s0
restorecon reset /home/puser1/.bash_history context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:user_home_t:s0
...

[root@rhel6-1 ~]# ls -alZ /home/puser1/
drwxr-xr-x. puser1 Group1 unconfined_u:object_r:user_home_dir_t:s0 .
drwxr-xr-x. root   root   system_u:object_r:home_root_t:s0 ..
-rw-------. puser1 Group1 unconfined_u:object_r:user_home_t:s0 .bash_history
-rw-r--r--. puser1 Group1 unconfined_u:object_r:krb5_home_t:s0 .k5login

[root@rhel6-1 ~]# !ss
ssh -l puser1 $HOSTNAME
puser1.pnq.redhat.com's password: 
Last login: Fri Mar 25 00:36:53 2011 from rhel6-1.gsr.pnq.redhat.com
-bash-4.1$ 


Summary:

SELinux is preventing /usr/libexec/sssd/krb5_child "search" access on /home.

Detailed Description:

SELinux denied access requested by krb5_child. It is not expected that this
access is required by krb5_child and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                unconfined_u:system_r:sssd_t:s0
Target Context                system_u:object_r:home_root_t:s0
Target Objects                /home [ dir ]
Source                        krb5_child
Source Path                   /usr/libexec/sssd/krb5_child
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           sssd-1.5.1-17.el6
Target RPM Packages           filesystem-2.4.30-2.1.el6
Policy RPM                    selinux-policy-3.7.19-79.el6
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     rhel6-1.gsr.pnq.redhat.com
Platform                      Linux rhel6-1.gsr.pnq.redhat.com
                              2.6.32-122.el6.x86_64 #1 SMP Wed Mar 9 23:54:34
                              EST 2011 x86_64 x86_64
Alert Count                   1
First Seen                    Fri Mar 25 00:40:09 2011
Last Seen                     Fri Mar 25 00:40:09 2011
Local ID                      3e0a7e61-b265-448a-ac94-4c4b27626be5
Line Numbers                  7, 8

Raw Audit Messages            

type=AVC msg=audit(1300993809.266:27612): avc:  denied  { search } for  pid=24223 comm="krb5_child" name="home" dev=dm-0 ino=1046530 scontext=unconfined_u:system_r:sssd_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir

type=SYSCALL msg=audit(1300993809.266:27612): arch=c000003e syscall=21 success=no exit=-13 a0=232b650 a1=0 a2=0 a3=7fffd46a9490 items=0 ppid=23357 pid=24223 auid=0 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=292 comm="krb5_child" exe="/usr/libexec/sssd/krb5_child" subj=unconfined_u:system_r:sssd_t:s0 key=(null)

Looks like something knew.  I take it sssd needs to read the k5login file?

What is triggering this?

Dan, in SSSD 1.5.x we added support for a Kerberos access provider that honors the .k5login file. So yes, we need to read it if that provider is in use.

Any other content sssd needs to read in homedir?

What about nfs and cifs homedirs?  Are you doing a setfsuid()

Fixed in F15, miroslav need to back port F15 sssd.te and kerberos.if

Fixed in selinux-policy-3.7.19-80.el6

[root@rhel6-1 ~]# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted
[root@rhel6-1 ~]#


[root@rhel6-1 ~]# ls -lZa /home/puser1/
drwxr-xr-x. puser1 Group1 unconfined_u:object_r:user_home_dir_t:s0 .
drwxr-xr-x. root   root   system_u:object_r:home_root_t:s0 ..
-rw-------. puser1 Group1 unconfined_u:object_r:user_home_t:s0 .bash_history
-rw-r--r--. puser1 Group1 unconfined_u:object_r:krb5_home_t:s0 .k5login


[root@rhel6-1 ~]# ssh -l puser1 $HOSTNAME
puser1.pnq.redhat.com's password: 
Connection closed by XX.XX.XXX.XX


[root@rhel6-1 ~]# sealert -a /var/log/audit/audit.log
100% donefound 0 alerts in /var/log/audit/audit.log



[root@rhel6-1 ~]# rpm -qi selinux-policy
Name        : selinux-policy               Relocations: (not relocatable)
Version     : 3.7.19                            Vendor: Red Hat, Inc.
Release     : 80.el6                        Build Date: Fri 25 Mar 2011 04:17:33 PM IST
Install Date: Fri 25 Mar 2011 11:27:03 PM IST      Build Host: s390-006.build.bos.redhat.com
Group       : System Environment/Base       Source RPM: selinux-policy-3.7.19-80.el6.src.rpm
Size        : 7868123                          License: GPLv2+
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://oss.tresys.com/repos/refpolicy/
Summary     : SELinux policy configuration
Description :
SELinux Reference Policy - modular.
Based off of reference policy: Checked out revision  2.20091117

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0526.html