Bug 1021613 - Incorrect SELinux context on .k5login files
Summary: Incorrect SELinux context on .k5login files
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: OpenShift Online
Classification: Red Hat
Component: Containers
Version: 2.x
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: ---
Assignee: Miroslav Grepl
QA Contact: libra bugs
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-10-21 15:58 UTC by Jordan Liggitt
Modified: 2015-05-14 23:31 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-01-30 00:49:19 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
setup.sh (1.26 KB, application/x-sh)
2013-10-21 15:58 UTC, Jordan Liggitt 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1019756 1 None None None 2021-01-20 06:05:38 UTC

Internal Links: 1019756

Description Jordan Liggitt 2013-10-21 15:58:24 UTC 
Description of problem:
.k5login files under /var/lib/openshift/<GEAR>/ directories have the wrong context, which prevents kerberized ssh from working.

Version-Release number of selected component (if applicable):


How reproducible:
Always


Steps to Reproduce:

1. On a devenv, run the attached setup.sh as root to enable kerberos
 
2. Via the web or rhc, create an application and add a user key of type "krb5-principal" with content "u1@$REALM" (where $REALM is the output of `hostname -f | tr [a-z] [A-Z]` on the devenv)

3. On a devenv, as root:
   kinit u1 (password redhat)
   ssh APP_SSH_URL


Actual results:
Login is denied, and there are errors in the audit log:

# grep avc /var/log/audit/audit.log  | grep k5
type=AVC msg=audit(1382368433.019:39962): avc:  denied  { read } for  pid=29068 comm="sshd" name=".k5login" dev=xvde2 ino=265219 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:openshift_var_lib_t:s0 tclass=file



Expected results:
Login succeeds


Additional info:

User created via useradd:
# restorecon -v /home/foo/.k5login
# ls -Z /home/foo/.k5login
-rw-r--r--. root root unconfined_u:object_r:krb5_home_t:s0 /home/foo/.k5login

User created as a result of an openshift app-create:
# restorecon -v /var/lib/openshift/52653ceeef033bc646000005/.k5login
# ls -Z /var/lib/openshift/52653ceeef033bc646000005/.k5login
-rw-r--r--. root 52653ceeef033bc646000005 unconfined_u:object_r:openshift_var_lib_t:s0 /var/lib/openshift/52653ceeef033bc646000005/.k5login



When I turn off selinux, I can ssh in without issues. Can we update the openshift policy to match the default for .k5login files under the home directory, so sshd works as expected for kerberos?

    File locations

    If /etc/krb5.conf has a k5login_directory set:
        $k5login_directory/$username

    If /etc/krb5.conf does not have a k5login_directory set:
        /var/lib/openshift/$username/.k5login
Comment 1 Jordan Liggitt 2013-10-21 15:58:43 UTC 
Created attachment 814686 [details]
setup.sh
Comment 2 Jordan Liggitt 2013-10-22 13:37:29 UTC 
This test from Dan Walsh allowed the k5login files to be read within gear home directories by sshd


# cat > mysshd.te << _EOF
policy_module(mysshd, 1.0)

gen_require(\`
	type sshd_t;
')
openshift_read_lib_files(sshd_t)
_EOF

# make -f /usr/share/selinux/devel/Makefile

# semodule -i mysshd.pp
Note You need to log in before you can comment on or make changes to this bug.