Bug 828934

Summary: applications using PAM need to be able to create user_tmp_t files
Product: [Fedora] Fedora Reporter: Nalin Dahyabhai <nalin>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: dominick.grift, dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-22 10:16:06 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Nalin Dahyabhai 2012-06-05 15:13:39 UTC 
Description of problem:
https://fedoraproject.org/wiki/Features/KRB5DirCache is going to require pam_krb5 to start creating its credential caches in user_tmp_t locations (usually /run/user/$USER) rather than the current default of tmp_t (/tmp).

Version-Release number of selected component (if applicable):
selinux-policy-3.10.0-128
pam_krb5-2.3.14-1.fc18

How reproducible:
Always

Steps to Reproduce:
1. Update to Raw Hide pam_krb5, or set "ccname_template = FILE:/run/user/%u/krb5cc_XXXXXX" in the "pam" subsection of the [appdefaults] section in /etc/krb5.conf.
2. Try to log in via console login or gdm.

Actual results:
If login succeeds, $KRB5CCNAME will be set wrong, and you'll see these denials in your log:

time->Tue Jun  5 10:32:02 2012
type=PATH msg=audit(1338906722.165:1886): item=1 name="/run/user/nalin/krb5cc_4DEcq3" inode=421181 dev=00:10 mode=0100600 ouid=2510 ogid=2516 rdev=00:00 obj=system_u:object_r:user_tmp_t:s0-s0:c0.c1023
type=PATH msg=audit(1338906722.165:1886): item=0 name="/run/user/nalin/" inode=24368 dev=00:10 mode=040700 ouid=2510 ogid=2516 rdev=00:00 obj=system_u:object_r:user_tmp_t:s0
type=CWD msg=audit(1338906722.165:1886):  cwd="/"
type=SYSCALL msg=audit(1338906722.165:1886): arch=c000003e syscall=2 success=yes exit=4 a0=1795270 a1=2c2 a2=180 a3=6165726373662f72 items=2 ppid=9700 pid=9701 auid=4294967295 uid=2510 gid=2516 euid=2510 suid=2510 fsuid=2510 egid=2516 sgid=2516 fsgid=2516 tty=tty4 ses=4294967295 comm="login" exe="/usr/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1338906722.165:1886): avc:  denied  { create } for  pid=9701 comm="login" name="krb5cc_4DEcq3" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_tmp_t:s0-s0:c0.c1023 tclass=file

time->Tue Jun  5 10:49:17 2012
type=PATH msg=audit(1338907757.230:586): item=0 name="/run/user/nalin/krb5cc_4C9aVb" inode=27491 dev=00:10 mode=040700 ouid=2510 ogid=2516 rdev=00:00 obj=system_u:object_r:user_tmp_t:s0
type=CWD msg=audit(1338907757.230:586):  cwd="/var/gdm"
type=SYSCALL msg=audit(1338907757.230:586): arch=c000003e syscall=2 success=no exit=-13 a0=15923a0 a1=2c2 a2=180 a3=6165726373662f72 items=1 ppid=1507 pid=1867 auid=2510 uid=0 gid=2516 euid=0 suid=0 fsuid=0 egid=2516 sgid=2516 fsgid=2516 tty=(none) ses=2 comm="gdm-session-wor" exe="/usr/libexec/gdm-session-worker" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1338907757.230:586): avc:  denied  { create } for  pid=1867 comm="gdm-session-wor" name="krb5cc_4C9aVb" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_tmp_t:s0-s0:c0.c1023 tclass=file



Expected results:
Login succeeds, $KRB5CCNAME points to a "FILE" or "DIR"-type ccache under $XDG_RUNTIME_DIR, and running "klist" shows that your credentials are correctly stored there.

Additional info:
The "allow_kerberos" boolean is enabled.
Comment 1 Miroslav Grepl 2012-06-22 10:16:06 UTC 
Should be fixed in the latest policy.