Description of problem: .k5login files under /var/lib/openshift/<GEAR>/ directories have the wrong context, which prevents kerberized ssh from working. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. On a devenv, run the attached setup.sh as root to enable kerberos 2. Via the web or rhc, create an application and add a user key of type "krb5-principal" with content "u1@$REALM" (where $REALM is the output of `hostname -f | tr [a-z] [A-Z]` on the devenv) 3. On a devenv, as root: kinit u1 (password redhat) ssh APP_SSH_URL Actual results: Login is denied, and there are errors in the audit log: # grep avc /var/log/audit/audit.log | grep k5 type=AVC msg=audit(1382368433.019:39962): avc: denied { read } for pid=29068 comm="sshd" name=".k5login" dev=xvde2 ino=265219 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:openshift_var_lib_t:s0 tclass=file Expected results: Login succeeds Additional info: User created via useradd: # restorecon -v /home/foo/.k5login # ls -Z /home/foo/.k5login -rw-r--r--. root root unconfined_u:object_r:krb5_home_t:s0 /home/foo/.k5login User created as a result of an openshift app-create: # restorecon -v /var/lib/openshift/52653ceeef033bc646000005/.k5login # ls -Z /var/lib/openshift/52653ceeef033bc646000005/.k5login -rw-r--r--. root 52653ceeef033bc646000005 unconfined_u:object_r:openshift_var_lib_t:s0 /var/lib/openshift/52653ceeef033bc646000005/.k5login When I turn off selinux, I can ssh in without issues. Can we update the openshift policy to match the default for .k5login files under the home directory, so sshd works as expected for kerberos? File locations If /etc/krb5.conf has a k5login_directory set: $k5login_directory/$username If /etc/krb5.conf does not have a k5login_directory set: /var/lib/openshift/$username/.k5login
Created attachment 814686 [details] setup.sh
This test from Dan Walsh allowed the k5login files to be read within gear home directories by sshd # cat > mysshd.te << _EOF policy_module(mysshd, 1.0) gen_require(\` type sshd_t; ') openshift_read_lib_files(sshd_t) _EOF # make -f /usr/share/selinux/devel/Makefile # semodule -i mysshd.pp