Bug 813870

Ok, we see it again.

Did it happen by default? Or did you setup pam_namespace?

By default.

Daniel did you setup anything special in pam?  Did everything seem to work correctly?

I am using FreeIPA for authentication with OpenAFS.

This error occurs when I ssh into my computer as root.

My /etc/pam.d/password-auth file has additional lines to get AFS tokens automatically:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_sss.so use_first_pass
auth       [default=done]      pam_afs_session.so always_aklog debug
auth        required      pam_deny.so

account     required      pam_access.so
account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     optional      pam_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so
session     required      pam_afs_session.so always_aklog debug

Perhaps this is because root is not a FreeIPA or OpenAFS user?

You only get it when you log in as root, but if you log in as a normal user, does everything work. IE do you get your proper tokens?

Sorry, I take that back - I get it as 'normal' users too. But I get a ticket and token and can access AFS OK.

:type=SYSCALL msg=audit(1334764229.337:1297): arch=x86_64 syscall=ioctl
success=yes exit=0 a0=6 a1=40084301 a2=7fff8a339dc0 a3=8 items=0 ppid=1528
pid=30579 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=153 comm=sshd exe=/usr/sbin/sshd
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)

Actually the syscall is succeeding "success=yes" even though the AVC is generated, so you could safely generate a dontaudit alert for this.  

# grep sys_admin /var/log/audit/audit.log | audit2allow -D -M mysshd
# semodule -i mysshd.pp

I am not sure if this is caused by a problem with our kernel or with the afs kernel module.

*** Bug 835975 has been marked as a duplicate of this bug. ***

Just a "me too". I'm seeing this as well, but on RHEL6, and without using pam_afs_session.

Trond is this happening on an AVS System?

(In reply to comment #10)
> Trond is this happening on an AVS System?

Hm.. I don't know what an AVS system is, so I'm pretty sure that the answer is no :) This is a Dell R720 running web server statistics (Google Urchin) for our site, but I'm not sure if it is in production yet. I've seen this AVC before on other RHEL6 hosts. Tested a few and found one more that has this problem. Also a Dell server, running mysql and some web apps.

Comparing Daniel's /etc/pam.d/password-auth in comment #4 to ours, except for the obvious I can only find one common denominator: pam_sss. I can't tell if that is significant though, I'm not sure what to look for. In my limited testing, this happens consistently on affected servers, for both root (local) and regular users (from SSSD/LDAP).

I'll be happy to perform some (non-desctructive) debugging, but I'll need some guidance on how to proceed.

AFS, sorry.

(In reply to comment #12)
> AFS, sorry.

Nope, Kerberos isn't in the picture at all. These systems use LDAP (rfc2307, not IPA) and SSSD for authentication.

Trond what AVC are you seeing?

Here is the AVC that is generated:

type=AVC msg=audit(1343055966.291:482641): avc:  denied  { sys_admin } for  pid=7134 comm="sshd" capability=21  scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=capability

I'm seeing this on my AFS client (Fedora 19). It happens whenever I log in over SSH. I use sssd (Kerberos) and pam_afs_session. My homedir is in AFS.

Ken are you successfully allowed to login?

(In reply to comment #17)
> Ken are you successfully allowed to login?

Yep, I can still log in via SSH. (I'm using "Enforcing".)

I tested with selinux-policy-targeted-3.11.1-67.fc19 today, and SELinux still logs the AVC denial.

Ok I just checked in a fix for this to allow sshd_t sys_admin privs, Looks like it requests it in a couple of different ways so might as well allow it.  sshd_t is already a really powerful domain.

selinux-policy-3.11.1-69.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-69.fc18

I can confirm that I no longer get the AVC denial in 3.11.1-69.fc19

Could you update karma? Thank you for testing.

Package selinux-policy-3.11.1-69.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-69.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-0147/selinux-policy-3.11.1-69.fc18
then log in and leave karma (feedback).

selinux-policy-3.11.1-71.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-71.fc18

selinux-policy-3.11.1-71.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.