| Summary: | squid: denials for squid_kerb_auth when using kerberos authentication | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Miroslav Vadkerti <mvadkert> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Karel Srot <ksrot> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 6.1 | CC: | dwalsh, ksrot, mgrepl, mmalik, nalin, plyons, prc, zmraz |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.7.19-86.el6 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-05-19 12:27:42 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Mirek,
could you test it with the following local policy
policy_module(mysquid, 1.0)
require{
type squid_t;
}
userdom_manage_user_tmp_dirs(squid_t)
userdom_manage_user_tmp_files(squid_t)
userdom_tmp_filetrans_user_tmp(squid_t, { file dir })
Thanks Mirek, with this module there are no more denials :) # getenforce Enforcing # semodule -l | grep squid mysquid 1.0 squid 1.9.0 # ausearch -ts recent -m avc <no matches> Why is squid touching user_tmp_t? Squid should get its own tmp files, and probably not be writing in /tmp in the first place? Is squid reading the krbcc name of users on the same system or is it requiring users to provide credentials before using squid. From what I gather on the web, squid_kerb_auth accepts Negotiate authentication from clients attempting to use the proxy, so it would use a replay cache. Miroslav V, can you change your mysquid policy to:
policy_module(mysquid, 1.0)
require{
type squid_t;
}
kerberos_manage_host_rcache(squid_t)
And try that. Not sure if kernberos maange_host_rchage will be enough.
I think you might end up needing allow squid_t tmp_t:dir rw_dir_perms; Which should probably be in the kerberos_manage_host_rcache interface. I added fixes for this to F15 policy. Dan, using this module
policy_module(mysquid, 1.2)
require{
type squid_t;
type tmp_t;
}
kerberos_manage_host_rcache(squid_t)
allow squid_t tmp_t:dir rw_dir_perms;
I still see AVC like this:
----
time->Wed Apr 13 17:12:46 2011
type=SYSCALL msg=audit(1302707566.512:1696): arch=40000003 syscall=10 success=no exit=-13 a0=1d9df98 a1=0 a2=1e416c a3=1da4084 items=0 ppid=11348 pid=11350 auid=0 uid=23 gid=23 euid=23 suid=23 fsuid=23 egid=23 sgid=23 fsgid=23 tty=(none) ses=219 comm="squid_kerb_auth" exe="/usr/lib/squid/squid_kerb_auth" subj=unconfined_u:system_r:squid_t:s0 key=(null)
type=AVC msg=audit(1302707566.512:1696): avc: denied { unlink } for pid=11350 comm="squid_kerb_auth" name="HTTP_23" dev=dm-0 ino=393454 scontext=unconfined_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
Please remove HTTP_23 and then try. The problem is you probably ran squid by hand creating the bogusly labelled HTTP_23 file. Dan I removed the HTTP_23 and have the module from comment 8 loaded, but it sill cannot create the file. I had to enable don't audit rules to see them: time->Thu Apr 14 10:20:08 2011 type=SYSCALL msg=audit(1302769208.789:130): arch=40000003 syscall=5 success=no exit=-13 a0=11559b0 a1=2c1 a2=180 a3=2c1 items=0 ppid=11053 pid=11055 auid=0 uid=23 gid=23 euid=23 suid=23 fsuid=23 egid=23 sgid=23 fsgid=23 tty=(none) ses=1 comm="squid_kerb_auth" exe="/usr/lib/squid/squid_kerb_auth" subj=unconfined_u:system_r:squid_t:s0 key=(null) type=AVC msg=audit(1302769208.789:130): avc: denied { create } for pid=11055 comm="squid_kerb_auth" name="HTTP_23" scontext=unconfined_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file After putting SELinux into permissive mode I see these AVCs:
time->Thu Apr 14 10:32:23 2011
type=SYSCALL msg=audit(1302769943.042:142): arch=40000003 syscall=5 success=yes exit=3 a0=85e255 a1=8000 a2=1b6 a3=85d4d8 items=0 ppid=11603 pid=11604 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="kadmind" exe="/usr/sbin/kadmind" subj=unconfined_u:system_r:kadmind_t:s0 key=(null)
type=AVC msg=audit(1302769943.042:142): avc: denied { open } for pid=11604 comm="kadmind" name="config" dev=dm-0 ino=914485 scontext=unconfined_u:system_r:kadmind_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
type=AVC msg=audit(1302769943.042:142): avc: denied { read } for pid=11604 comm="kadmind" name="config" dev=dm-0 ino=914485 scontext=unconfined_u:system_r:kadmind_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
----
time->Thu Apr 14 10:32:23 2011
type=SYSCALL msg=audit(1302769943.042:143): arch=40000003 syscall=197 success=yes exit=0 a0=3 a1=bfaebc0c a2=ee6ff4 a3=2870438 items=0 ppid=11603 pid=11604 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="kadmind" exe="/usr/sbin/kadmind" subj=unconfined_u:system_r:kadmind_t:s0 key=(null)
type=AVC msg=audit(1302769943.042:143): avc: denied { getattr } for pid=11604 comm="kadmind" path="/etc/selinux/config" dev=dm-0 ino=914485 scontext=unconfined_u:system_r:kadmind_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
----
time->Thu Apr 14 10:32:23 2011
type=SYSCALL msg=audit(1302769943.612:144): arch=40000003 syscall=102 success=no exit=-22 a0=2 a1=bfaec150 a2=4152cc a3=0 items=0 ppid=11603 pid=11604 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="kadmind" exe="/usr/sbin/kadmind" subj=unconfined_u:system_r:kadmind_t:s0 key=(null)
type=AVC msg=audit(1302769943.612:144): avc: denied { name_bind } for pid=11604 comm="kadmind" src=756 scontext=unconfined_u:system_r:kadmind_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket
----
I'm sorry for the previous post of (looks like) unrelated AVCs. The related AVCs seem to be:
time->Thu Apr 14 10:32:59 2011
type=SYSCALL msg=audit(1302769979.125:149): arch=40000003 syscall=197 success=yes exit=0 a0=3 a1=bf841c1c a2=3ffff4 a3=2ae35f0 items=0 ppid=11730 pid=11732 auid=0 uid=23 gid=23 euid=23 suid=23 fsuid=23 egid=23 sgid=23 fsgid=23 tty=(none) ses=1 comm="squid_kerb_auth" exe="/usr/lib/squid/squid_kerb_auth" subj=unconfined_u:system_r:squid_t:s0 key=(null)
type=AVC msg=audit(1302769979.125:149): avc: denied { getattr } for pid=11732 comm="squid_kerb_auth" path="/etc/selinux/config" dev=dm-0 ino=914485 scontext=unconfined_u:system_r:squid_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
----
time->Thu Apr 14 10:32:59 2011
type=SYSCALL msg=audit(1302769979.518:150): arch=40000003 syscall=5 success=yes exit=3 a0=2ae34f0 a1=2c1 a2=180 a3=2c1 items=0 ppid=11730 pid=11732 auid=0 uid=23 gid=23 euid=23 suid=23 fsuid=23 egid=23 sgid=23 fsgid=23 tty=(none) ses=1 comm="squid_kerb_auth" exe="/usr/lib/squid/squid_kerb_auth" subj=unconfined_u:system_r:squid_t:s0 key=(null)
type=AVC msg=audit(1302769979.518:150): avc: denied { create } for pid=11732 comm="squid_kerb_auth" name="HTTP_23" scontext=unconfined_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file
----
time->Thu Apr 14 10:32:59 2011
type=SYSCALL msg=audit(1302769979.124:148): arch=40000003 syscall=5 success=yes exit=3 a0=183255 a1=8000 a2=1b6 a3=1824d8 items=0 ppid=11730 pid=11732 auid=0 uid=23 gid=23 euid=23 suid=23 fsuid=23 egid=23 sgid=23 fsgid=23 tty=(none) ses=1 comm="squid_kerb_auth" exe="/usr/lib/squid/squid_kerb_auth" subj=unconfined_u:system_r:squid_t:s0 key=(null)
type=AVC msg=audit(1302769979.124:148): avc: denied { open } for pid=11732 comm="squid_kerb_auth" name="config" dev=dm-0 ino=914485 scontext=unconfined_u:system_r:squid_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
type=AVC msg=audit(1302769979.124:148): avc: denied { read } for pid=11732 comm="squid_kerb_auth" name="config" dev=dm-0 ino=914485 scontext=unconfined_u:system_r:squid_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
# getsebool allow_kerberos allow_kerberos boolean is enabled on my testing machine:
# getsebool allow_kerberos
allow_kerberos --> on
Strange but I cannot reproduce the problems I had in comments 10 and 12 anymore. My test is now passing without denials.
# getenforce
Enforcing
# semodule -l | grep mysquid
mysquid 1.2
# cat ~/selinux/mysquid.te
policy_module(mysquid, 1.2)
require{
type squid_t;
type tmp_t;
}
kerberos_manage_host_rcache(squid_t)
allow squid_t tmp_t:dir rw_dir_perms;
I think this bug is now resolved, thanks everyone!
Miroslav I think we also need. /var/tmp/HTTP_23 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) Fixed in selinux-policy-3.7.19-86.el6 An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0526.html |
Description of problem: When using squid with kerberos authentication I get these denials: ---- time->Wed Apr 13 04:57:18 2011 type=SYSCALL msg=audit(1302685038.742:66667): arch=c000003e syscall=2 success=yes exit=4 a0=7ff9db38af90 a1=c2 a2=180 a3=7fffda43ae60 items=0 ppid=26728 pid=26730 auid=0 uid=23 gid=23 euid=23 suid=23 fsuid=23 egid=23 sgid=23 fsgid=23 tty=(none) ses=2052 comm="squid_kerb_auth" exe="/usr/lib64/squid/squid_kerb_auth" subj=unconfined_u:system_r:squid_t:s0 key=(null) type=AVC msg=audit(1302685038.742:66667): avc: denied { create } for pid=26730 comm="squid_kerb_auth" name="krb5_RCRB0OEi" scontext=unconfined_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file type=AVC msg=audit(1302685038.742:66667): avc: denied { add_name } for pid=26730 comm="squid_kerb_auth" name="krb5_RCRB0OEi" scontext=unconfined_u:system_r:squid_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir type=AVC msg=audit(1302685038.742:66667): avc: denied { write } for pid=26730 comm="squid_kerb_auth" name="tmp" dev=dm-0 ino=2752602 scontext=unconfined_u:system_r:squid_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir ---- time->Wed Apr 13 04:57:18 2011 type=SYSCALL msg=audit(1302685038.790:66668): arch=c000003e syscall=82 success=yes exit=0 a0=7ff9db38af90 a1=7ff9db386160 a2=7ff9db38b088 a3=7fffda43af90 items=0 ppid=26728 pid=26730 auid=0 uid=23 gid=23 euid=23 suid=23 fsuid=23 egid=23 sgid=23 fsgid=23 tty=(none) ses=2052 comm="squid_kerb_auth" exe="/usr/lib64/squid/squid_kerb_auth" subj=unconfined_u:system_r:squid_t:s0 key=(null) type=AVC msg=audit(1302685038.790:66668): avc: denied { unlink } for pid=26730 comm="squid_kerb_auth" name="HTTP_23" dev=dm-0 ino=2753259 scontext=unconfined_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file type=AVC msg=audit(1302685038.790:66668): avc: denied { rename } for pid=26730 comm="squid_kerb_auth" name="krb5_RCRB0OEi" dev=dm-0 ino=2754353 scontext=unconfined_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file type=AVC msg=audit(1302685038.790:66668): avc: denied { remove_name } for pid=26730 comm="squid_kerb_auth" name="krb5_RCRB0OEi" dev=dm-0 ino=2754353 scontext=unconfined_u:system_r:squid_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir Version-Release number of selected component (if applicable): selinux-policy-3.7.19-82.el6 How reproducible: 100% Steps to Reproduce: 1. configure squid with kerberos 2. try to connect via curl Actual results: squid_kerb_auth denials blocking authentication Expected results: no denials Additional info: