Bug 732757

Summary: Authentication issues while using Kerberos and SELinux in enforcing mode
Product: Red Hat Enterprise Linux 6 Reporter: Pavel Snajdr <psnajdr>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.1CC: dpal, dwalsh, gdeschner, mmalik, nalin, prc, ssorce
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-108.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-12-06 10:13:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Pavel Snajdr 2011-08-23 13:59:06 UTC 
Kerberos Authentication for CUPS web interface is not working when selinux is in enforcing mode.

CUPS package version:
cups-1.4.2-39.el6.x86_64

-------------------------------------
/var/log/cups/error_log:

E [23/Aug/2011:09:14:33 -0400] cupsdAuthorize: pam_authenticate() returned 7 (Authentication failure)!

-------------------------------------
AVC, confirmed to be solving the issue:

type=AVC msg=audit(1314106699.568:97774): avc:  denied  { unlink } for  pid=2553 comm="cupsd" name="host_0" dev=sda3 ino=3663569 scontext=unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1314106699.568:97774): arch=c000003e syscall=87 success=no exit=-13 a0=7f1ce094a8b0 a1=ffffffff a2=0 a3=10 items=0 ppid=1 pid=2553 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2076 comm="cupsd" exe="/usr/sbin/cupsd" subj=unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)
type=USER_AUTH msg=audit(1314106701.647:97775): user pid=2553 uid=0 auid=0 ses=2076 subj=unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct="jmontleo" exe="/usr/sbin/cupsd" hostname=10.11.131.75 addr=10.11.131.75 terminal=cups res=failed'

module cupsauth 1.0;

require {
	type user_tmp_t;
	type cupsd_t;
	class file unlink;
}

#============= cupsd_t ==============
allow cupsd_t user_tmp_t:file unlink;
Comment 1 Tim Waugh 2011-08-23 14:04:10 UTC 
Nalin: this seems to be in pam_krb5 -- any idea what's going on here?  Does this allow line look right to you?
Comment 3 Nalin Dahyabhai 2011-08-23 16:11:07 UTC 
Tim, this is cups needing to be able to manipulate Kerberos replay caches, specifically being able to purge expired entries from them.  Dan, is cupsd_t one of the domains that can do that in the upcoming RHEL 6 builds (either directly, or as a user of PAM)?
Comment 4 Daniel Walsh 2011-08-23 19:14:03 UTC 
Miroslav add


optional_policy(`
	kerberos_manage_host_rcache(cupsd_t)
')
Comment 5 Miroslav Grepl 2011-08-24 15:29:01 UTC 
Fixed in selinux-policy-3.7.19-108.el6
Comment 6 Pavel Snajdr 2011-08-25 06:26:12 UTC 
Thanks everyone for such a fast resolution! Greatly appreciated!
Comment 9 errata-xmlrpc 2011-12-06 10:13:23 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1511.html