Bug 748449

Summary: unable to access kerberos tmp file
Product: [Fedora] Fedora Reporter: Marcus Moeller <marcus.moeller>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 17CC: dominick.grift, dwalsh, mgrepl, sandro
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-05-28 01:19:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Marcus Moeller 2011-10-24 14:01:24 UTC 
Got an denial on login via GDM or ssh. The system uses LDAP / Kerberos for authentication/authorization.

type=AVC msg=audit(1319461916.455:122): avc:  denied  { getattr } for  pid=2729 comm="gdm-session-wor" path="/var/tmp/ldapmap1_0" dev=sda6 ino=3147959 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:local_login_tmp_t:s0 tclass=file
type=AVC msg=audit(1319461916.455:123): avc:  denied  { unlink } for  pid=2729 comm="gdm-session-wor" name="ldapmap1_0" dev=sda6 ino=3147959 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:local_login_tmp_t:s0 tclass=file

type=AVC msg=audit(1319463721.173:234): avc:  denied  { getattr } for  pid=4405 comm="sshd" path="/var/tmp/ldapmap1_0" dev=sda6 ino=3147959 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:local_login_tmp_t:s0 tclass=file
type=AVC msg=audit(1319463721.173:235): avc:  denied  { unlink } for  pid=4405 comm="sshd" name="ldapmap1_0" dev=sda6 ino=3147959 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:local_login_tmp_t:s0 tclass=file
Comment 1 Daniel Walsh 2011-10-24 15:55:26 UTC 
Fixed in selinux-policy-3.10.0-48.fc16

chcon -t krb5_host_rcache_t /var/tmp/ldapmap1_0 

Should fix the problem for now.
Comment 2 Marcus Moeller 2012-05-15 14:24:30 UTC 
A user with the user context staff_t cannot do sudo as staff_sudo_t is not allowed to access krb5_host_rcache_t.
Comment 3 Daniel Walsh 2012-05-16 03:40:16 UTC 
mgrepl lets add


optional_policy(`
	kerberos_manage_host_rcache(sudodomain)
	kerberos_read_config(sudodomain)
')
Comment 4 Miroslav Grepl 2012-05-16 12:21:06 UTC 
Fixed in selinux-policy-3.10.0-125.fc17
Comment 5 Fedora Update System 2012-05-17 09:03:45 UTC 
selinux-policy-3.10.0-125.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/FEDORA-2012-7953/selinux-policy-3.10.0-125.fc17
Comment 6 Fedora Update System 2012-05-17 22:57:15 UTC 
Package selinux-policy-3.10.0-125.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-125.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-7953/selinux-policy-3.10.0-125.fc17
then log in and leave karma (feedback).
Comment 7 Sandro Mathys 2012-05-21 08:34:09 UTC 
Could you please also backport this fix to F16?
Comment 8 Miroslav Grepl 2012-05-21 08:41:09 UTC 
(In reply to comment #7)
> Could you please also backport this fix to F16?

Added.
Comment 9 Fedora Update System 2012-05-28 01:19:33 UTC 
selinux-policy-3.10.0-125.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.