Bug 856880

Summary: policy needs to allow pam_krb5 to create /run/user/$UID from inside of a login process
Product: [Fedora] Fedora Reporter: Nalin Dahyabhai <nalin>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 18CC: dominick.grift, dwalsh, john.florian, mgrepl, plautrba
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-12-20 10:41:36 EST Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On:    
Bug Blocks: 833026    

Description Nalin Dahyabhai 2012-09-12 23:11:38 EDT
In order to satisfy http://fedoraproject.org/wiki/Features/KRB5CacheMove, as noted in bug #833026, I had to teach pam_krb5 to create /run/user/$UID, when needed, before pam_systemd is called and can tell systemd to do it.  Currently, the additional permissions needed appear to be:

time->Wed Sep 12 21:45:38 2012
type=SYSCALL msg=audit(1347500738.908:120): arch=c000003e syscall=83 success=no exit=-13 a0=7fff5f6f16e0 a1=1c0 a2=9d4 a3=65726373662f7274 items=0 ppid=1 pid=15374 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty2 ses=4294967295 comm="login" exe="/usr/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1347500738.908:120): avc:  denied  { create } for  pid=15374 comm="login" name="2510" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_tmp_t:s0 tclass=dir
----
time->Wed Sep 12 21:59:25 2012
type=SYSCALL msg=audit(1347501565.625:134): arch=c000003e syscall=92 success=no exit=-13 a0=7fff009f5640 a1=9ce a2=9d4 a3=65726373662f7274 items=0 ppid=1 pid=15389 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty2 ses=4294967295 comm="login" exe="/usr/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1347501565.625:134): avc:  denied  { setattr } for  pid=15389 comm="login" name="2510" dev="tmpfs" ino=35715 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_tmp_t:s0 tclass=dir

Apparently these are enabled by the polyinstantiation_enabled boolean, but it looks like we're going to need them even when it isn't enabled.
Comment 1 Nalin Dahyabhai 2012-09-12 23:12:42 EDT
Please note that this is login, but I expect that similar access will need to be granted to the various graphical desktop managers, sshd, and such.
Comment 2 Miroslav Grepl 2012-09-14 03:12:45 EDT
Yes, basically we allow manage user tmp files without the boolean. So I added the following fix

--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -206,6 +206,7 @@ interface(`auth_login_pgm_domain',`
        userdom_delete_user_tmp_files($1)
        userdom_search_admin_dir($1)
        userdom_stream_connect($1)
+       userdom_manage_user_tmp_dirs($1)
        userdom_manage_user_tmp_files($1)


The change will affect the following domains

# seinfo -xapolydomain
   polydomain
      xdm_t
      local_login_t
      rshd_t
      sshd_t
      remote_login_t
      rlogind_t
Comment 3 Fedora Update System 2012-09-17 09:01:18 EDT
selinux-policy-3.11.1-21.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-21.fc18
Comment 4 Fedora Update System 2012-09-17 16:38:27 EDT
Package selinux-policy-3.11.1-21.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-21.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-14225/selinux-policy-3.11.1-21.fc18
then log in and leave karma (feedback).
Comment 5 Fedora Update System 2012-09-26 00:51:52 EDT
selinux-policy-3.11.1-25.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-25.fc18
Comment 6 Fedora Update System 2012-12-20 10:41:44 EST
selinux-policy-3.11.1-21.fc18 has been pushed to the Fedora 18 obsolete repository.  If problems still persist, please make note of it in this bug report.