Bug 1021613 - Incorrect SELinux context on .k5login files
Incorrect SELinux context on .k5login files
Product: OpenShift Online
Classification: Red Hat
Component: Containers (Show other bugs)
Unspecified Unspecified
medium Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
libra bugs
: UpcomingRelease
Depends On:
  Show dependency treegraph
Reported: 2013-10-21 11:58 EDT by Jordan Liggitt
Modified: 2015-05-14 19:31 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2014-01-29 19:49:19 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
setup.sh (1.26 KB, application/x-sh)
2013-10-21 11:58 EDT, Jordan Liggitt
no flags Details

  None (edit)
Description Jordan Liggitt 2013-10-21 11:58:24 EDT
Description of problem:
.k5login files under /var/lib/openshift/<GEAR>/ directories have the wrong context, which prevents kerberized ssh from working.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:

1. On a devenv, run the attached setup.sh as root to enable kerberos
2. Via the web or rhc, create an application and add a user key of type "krb5-principal" with content "u1@$REALM" (where $REALM is the output of `hostname -f | tr [a-z] [A-Z]` on the devenv)

3. On a devenv, as root:
   kinit u1 (password redhat)
   ssh APP_SSH_URL

Actual results:
Login is denied, and there are errors in the audit log:

# grep avc /var/log/audit/audit.log  | grep k5
type=AVC msg=audit(1382368433.019:39962): avc:  denied  { read } for  pid=29068 comm="sshd" name=".k5login" dev=xvde2 ino=265219 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:openshift_var_lib_t:s0 tclass=file

Expected results:
Login succeeds

Additional info:

User created via useradd:
# restorecon -v /home/foo/.k5login
# ls -Z /home/foo/.k5login
-rw-r--r--. root root unconfined_u:object_r:krb5_home_t:s0 /home/foo/.k5login

User created as a result of an openshift app-create:
# restorecon -v /var/lib/openshift/52653ceeef033bc646000005/.k5login
# ls -Z /var/lib/openshift/52653ceeef033bc646000005/.k5login
-rw-r--r--. root 52653ceeef033bc646000005 unconfined_u:object_r:openshift_var_lib_t:s0 /var/lib/openshift/52653ceeef033bc646000005/.k5login

When I turn off selinux, I can ssh in without issues. Can we update the openshift policy to match the default for .k5login files under the home directory, so sshd works as expected for kerberos?

    File locations

    If /etc/krb5.conf has a k5login_directory set:

    If /etc/krb5.conf does not have a k5login_directory set:
Comment 1 Jordan Liggitt 2013-10-21 11:58:43 EDT
Created attachment 814686 [details]
Comment 2 Jordan Liggitt 2013-10-22 09:37:29 EDT
This test from Dan Walsh allowed the k5login files to be read within gear home directories by sshd

# cat > mysshd.te << _EOF
policy_module(mysshd, 1.0)

	type sshd_t;

# make -f /usr/share/selinux/devel/Makefile

# semodule -i mysshd.pp

Note You need to log in before you can comment on or make changes to this bug.