Bug 714960
| Summary: | SELinux is preventing the krb5_child from using potentially mislabeled files (./.k5login). | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | Kaushik Banerjee <kbanerje> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | urgent | Docs Contact: | |
| Priority: | urgent | ||
| Version: | 5.7 | CC: | dwalsh, grajaiya, jgalipea, mmalik, sgallagh, syeghiay |
| Target Milestone: | rc | Keywords: | ZStream |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-2.4.6-316.el5 | Doc Type: | Bug Fix |
| Doc Text: |
Previously, SELinux prevented the krb5_child command from running because the .k5login file had the wrong security context. With this update, the bug in the appropriate SELinux policy has been fixed, and krb5_child now works as expected.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-07-21 09:18:55 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 720678 | ||
|
Description
Kaushik Banerjee
2011-06-21 12:48:59 UTC
2nd SELinux alert seen with the above test case in permissive mode:
Summary:
SELinux is preventing the krb5_child from using potentially mislabeled files
(/home/puser1/.k5login).
Detailed Description:
[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]
SELinux has denied krb5_child access to potentially mislabeled file(s)
(/home/puser1/.k5login). This means that SELinux will not allow krb5_child to
use these files. It is common for users to edit files in their home directory or
tmp directories and then move (mv) them to system directories. The problem is
that the files end up with the wrong file context which confined applications
are not allowed to access.
Allowing Access:
If you want krb5_child to access this files, you need to relabel them using
restorecon -v '/home/puser1/.k5login'. You might want to relabel the entire
directory using restorecon -R -v '/home/puser1'.
Additional Information:
Source Context root:system_r:sssd_t
Target Context root:object_r:user_home_t
Target Objects /home/puser1/.k5login [ file ]
Source krb5_child
Source Path /usr/libexec/sssd/krb5_child
Port <Unknown>
Host jetfire.lab.eng.pnq.redhat.com
Source RPM Packages sssd-1.5.1-37.el5
Target RPM Packages
Policy RPM selinux-policy-2.4.6-312.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name home_tmp_bad_labels
Host Name jetfire.lab.eng.pnq.redhat.com
Platform Linux jetfire.lab.eng.pnq.redhat.com
2.6.18-268.el5 #1 SMP Tue Jun 14 18:24:50 EDT 2011
x86_64 x86_64
Alert Count 4
First Seen Tue Jun 14 12:00:25 2011
Last Seen Tue Jun 21 17:50:30 2011
Local ID 49a2b94c-db0d-406b-958a-040aff7866df
Line Numbers
Raw Audit Messages
host=jetfire.lab.eng.pnq.redhat.com type=AVC msg=audit(1308658830.575:375): avc: denied { getattr } for pid=4100 comm="krb5_child" path="/home/puser1/.k5login" dev=dm-0 ino=550784 scontext=root:system_r:sssd_t:s0 tcontext=root:object_r:user_home_t:s0 tclass=file
host=jetfire.lab.eng.pnq.redhat.com type=SYSCALL msg=audit(1308658830.575:375): arch=c000003e syscall=5 success=yes exit=0 a0=0 a1=7fff2ea7ec10 a2=7fff2ea7ec10 a3=6165726373662f72 items=0 ppid=2669 pid=4100 auid=0 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=1 comm="krb5_child" exe="/usr/libexec/sssd/krb5_child" subj=root:system_r:sssd_t:s0 key=(null)
restorecon and matchpathcon don't know that ~/.k5login should be labelled krb5_conf_t. Could we add that information to selinux-policy? Kaushik, what was wrong with # chcon -t krb5_conf_t /home/puser1/.k5login were you seeing other avc messages? (In reply to comment #3) > Kaushik, > what was wrong with > > # chcon -t krb5_conf_t /home/puser1/.k5login > > were you seeing other avc messages? Before this command, only the above 2 alerts were seen. With "chcon -t krb5_conf_t /home/puser1/.k5login" the above mentioned 2 selinux alerts doesn't appear. However, the test still fails in selinux:enforcing mode with that command, and I don't see any alerts. The test passes in selinux:permissive mode, but again I don't see any alerts. I am going to build a new rhel5 package which will be available in 20 minutes. selinux-policy-2.4.6-314.el5 is done. Could you test it with this build. https://brewweb.devel.redhat.com/buildinfo?buildID=169394 Run your steps to reproduce 2. add user puser1(home dir set to /home/puser1), to ldap and kerberos 3. > /home/puser1/.k5login(empty file should deny access for puser1) 4. chown puser1 /home/puser1/.k5login 5. restorecon /home/puser1/.k5login 6. # ll -Z /home/puser1/.k5login .k5login should get the right context. If yes, and it won't work and you won't see any avc msgs in permissive mode then execute # semodule -DB and try again. Using selinux-policy-2.4.6-314.el5, the test case passes in selinux:enforcing mode now. However, I see the following message in /var/log/message: <snip> Jun 21 22:49:09 jetfire krb5_child: /etc/selinux/targeted/contexts/files/file_contexts: Multiple different specifications for /root/\.k5login (root:object_r:krb5_home_t:s0 and system_u:object_r:krb5_home_t:s0). Jun 21 22:49:44 jetfire last message repeated 2 times Jun 21 22:50:46 jetfire last message repeated 2 times Jun 21 22:51:49 jetfire last message repeated 2 times Jun 21 22:52:51 jetfire last message repeated 2 times Jun 21 22:54:21 jetfire last message repeated 3 times </snip> I see it too: Jun 22 02:51:53 auto-i386-002 restorecon: /etc/selinux/targeted/contexts/files/file_contexts: Multiple different specifications for /root/\.k5login (root:object_r:krb5_home_t:s0 and system_u:object_r:krb5_home_t:s0). Milos, try it with the latest -315 release. I already did. "multiple different specifications" messages do not appear any more. restorecon and matchpathcon work as expected. THis should be labeled krb5_home_t. Using selinux-policy-2.4.6-315.el5, the test passes in selinux:enforcing mode and no more "multiple different specifications" messages are seen. *** Bug 716238 has been marked as a duplicate of this bug. *** Fixed in selinux-policy-2.4.6-316.el5
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
New Contents:
Previously, SELinux prevented the krb5_child command from running because the .k5login file had the wrong security context. With this update, the bug in the appropriate SELinux policy has been fixed, and krb5_child now works as expected.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-1069.html An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-1069.html |