1172291 – Unable to login using smartcard with kerberos user through virtual terminal when selinux in enforcing mode

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1172291 - Unable to login using smartcard with kerberos user through virtual terminal when selinux in enforcing mode

Summary: Unable to login using smartcard with kerberos user through virtual terminal w...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.1
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-12-09 19:16 UTC by Roshni
Modified:	2015-03-05 10:47 UTC (History)
CC List:	7 users (show)
Fixed In Version:	selinux-policy-3.13.1-15.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-03-05 10:47:45 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
/var/log/messages content (6.65 KB, text/plain) 2014-12-09 19:16 UTC, Roshni	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2015:0458	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2015-03-05 15:17:00 UTC

Description Roshni 2014-12-09 19:16:46 UTC

Created attachment 966436 [details]
/var/log/messages content

Description of problem:
Unable to login using smartcard with kerberos user through virtual terminal when selinux in enforcing mode

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-12.el7

How reproducible:
always

Steps to Reproduce:
1. selinux should be in enforcing mode
2. Go to the virtual terminal mode
3. Insert the smartcard with the kerberos user
4. Provide the smart card username and pin when prompted for.

Actual results:
"System Error" message is shown

Expected results:
login attempt should be successful

Additional info:

/var/log/messages shows messages in the attachement. Does not see this issue in Permissive mode

Comment 2 Roshni 2014-12-09 21:21:27 UTC

Seeing the issue described in comment 1 only on a machine that has been upgraded from RHEL 7.0 to RHEL 7.1. On a machine with a fresh installation of RHEL 7.1 I do not see the issue.

Comment 3 Miroslav Grepl 2014-12-10 07:25:32 UTC

Could you attach raw AVC msgs from /var/log/audit/audit.log?

It looks you also need to run

/sbin/restorecon -v /usr/lib64/security/pam_krb5/pam_krb5_cchelper

Comment 4 Milos Malik 2014-12-10 07:52:03 UTC

# ausearch -m avc -m user_avc -m selinux_err -i -ts today

Comment 5 Roshni 2014-12-10 21:27:34 UTC

Not seeing the issue on machine installed with relaeased RHEL 7.0 and upgraded to RHEL 7.1

Comment 6 Roshni 2014-12-11 19:44:17 UTC

Noticed this again:

SELinux is preventing /usr/lib64/security/pam_krb5/pam_krb5_cchelper from setattr access on the key Unknown.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that pam_krb5_cchelper should be allowed setattr access on the Unknown key by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep pam_krb5_cchelp /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:local_login_t:s0-s0:c0.c1023
Target Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Objects                Unknown [ key ]
Source                        pam_krb5_cchelp
Source Path                   /usr/lib64/security/pam_krb5/pam_krb5_cchelper
Port                          <Unknown>
Host                          dhcp129-48.rdu.redhat.com
Source RPM Packages           pam_krb5-2.4.8-4.el7.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-13.el7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     dhcp129-48.rdu.redhat.com
Platform                      Linux dhcp129-48.rdu.redhat.com
                              3.10.0-215.el7.x86_64 #1 SMP Mon Dec 8 10:19:09
                              EST 2014 x86_64 x86_64
Alert Count                   8
First Seen                    2014-12-10 15:51:23 EST
Last Seen                     2014-12-11 14:36:58 EST
Local ID                      bdfc1dcb-4469-419f-bed3-b7f79ae13d22

Raw Audit Messages
type=AVC msg=audit(1418326618.26:454): avc:  denied  { setattr } for  pid=5117 comm="pam_krb5_cchelp" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=key


type=SYSCALL msg=audit(1418326618.26:454): arch=x86_64 syscall=keyctl success=no exit=EACCES a0=f a1=2545ed37 a2=1517a a3=0 items=0 ppid=5085 pid=5117 auid=4294967295 uid=1001 gid=1000 euid=1001 suid=1001 fsuid=1001 egid=1000 sgid=1000 fsgid=1000 tty=tty2 ses=4294967295 comm=pam_krb5_cchelp exe=/usr/lib64/security/pam_krb5/pam_krb5_cchelper subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)

Hash: pam_krb5_cchelp,local_login_t,xdm_t,key,setattr


[root@dhcp129-48 ~]# ausearch -m avc -m user_avc -m selinux_err -i -ts today
----
type=SYSCALL msg=audit(12/11/2014 10:22:08.160:398) : arch=x86_64 syscall=keyctl success=no exit=-13(Permission denied) a0=0xf a1=0x14430235 a2=0x1517b a3=0x0 items=0 ppid=3711 pid=3766 auid=unset uid=kdcuser2 gid=rpattath euid=kdcuser2 suid=kdcuser2 fsuid=kdcuser2 egid=rpattath sgid=rpattath fsgid=rpattath tty=tty2 ses=unset comm=pam_krb5_cchelp exe=/usr/lib64/security/pam_krb5/pam_krb5_cchelper subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/11/2014 10:22:08.160:398) : avc:  denied  { setattr } for  pid=3766 comm=pam_krb5_cchelp scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=key 
----
type=SYSCALL msg=audit(12/11/2014 10:22:08.161:399) : arch=x86_64 syscall=keyctl success=no exit=-13(Permission denied) a0=0xf a1=0x14430235 a2=0x1517b a3=0x0 items=0 ppid=3711 pid=3766 auid=unset uid=kdcuser2 gid=rpattath euid=kdcuser2 suid=kdcuser2 fsuid=kdcuser2 egid=rpattath sgid=rpattath fsgid=rpattath tty=tty2 ses=unset comm=pam_krb5_cchelp exe=/usr/lib64/security/pam_krb5/pam_krb5_cchelper subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/11/2014 10:22:08.161:399) : avc:  denied  { setattr } for  pid=3766 comm=pam_krb5_cchelp scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=key 
----
type=SYSCALL msg=audit(12/11/2014 10:22:08.161:400) : arch=x86_64 syscall=keyctl success=no exit=-13(Permission denied) a0=0xf a1=0x14430235 a2=0x1517b a3=0x0 items=0 ppid=3711 pid=3766 auid=unset uid=kdcuser2 gid=rpattath euid=kdcuser2 suid=kdcuser2 fsuid=kdcuser2 egid=rpattath sgid=rpattath fsgid=rpattath tty=tty2 ses=unset comm=pam_krb5_cchelp exe=/usr/lib64/security/pam_krb5/pam_krb5_cchelper subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/11/2014 10:22:08.161:400) : avc:  denied  { setattr } for  pid=3766 comm=pam_krb5_cchelp scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=key 
----
type=SYSCALL msg=audit(12/11/2014 10:22:08.161:401) : arch=x86_64 syscall=keyctl success=no exit=-13(Permission denied) a0=0xf a1=0x14430235 a2=0x1517b a3=0x0 items=0 ppid=3711 pid=3766 auid=unset uid=kdcuser2 gid=rpattath euid=kdcuser2 suid=kdcuser2 fsuid=kdcuser2 egid=rpattath sgid=rpattath fsgid=rpattath tty=tty2 ses=unset comm=pam_krb5_cchelp exe=/usr/lib64/security/pam_krb5/pam_krb5_cchelper subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/11/2014 10:22:08.161:401) : avc:  denied  { setattr } for  pid=3766 comm=pam_krb5_cchelp scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=key 
----
type=SYSCALL msg=audit(12/11/2014 10:23:03.849:421) : arch=x86_64 syscall=keyctl success=no exit=-13(Permission denied) a0=0xf a1=0x14430235 a2=0x1517c a3=0x0 items=0 ppid=3860 pid=3951 auid=unset uid=kdcuser2 gid=rpattath euid=kdcuser2 suid=kdcuser2 fsuid=kdcuser2 egid=rpattath sgid=rpattath fsgid=rpattath tty=tty2 ses=unset comm=pam_krb5_cchelp exe=/usr/lib64/security/pam_krb5/pam_krb5_cchelper subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/11/2014 10:23:03.849:421) : avc:  denied  { setattr } for  pid=3951 comm=pam_krb5_cchelp scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=key 
----
type=SYSCALL msg=audit(12/11/2014 10:23:03.849:422) : arch=x86_64 syscall=keyctl success=no exit=-13(Permission denied) a0=0xf a1=0x14430235 a2=0x1517c a3=0x0 items=0 ppid=3860 pid=3951 auid=unset uid=kdcuser2 gid=rpattath euid=kdcuser2 suid=kdcuser2 fsuid=kdcuser2 egid=rpattath sgid=rpattath fsgid=rpattath tty=tty2 ses=unset comm=pam_krb5_cchelp exe=/usr/lib64/security/pam_krb5/pam_krb5_cchelper subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/11/2014 10:23:03.849:422) : avc:  denied  { setattr } for  pid=3951 comm=pam_krb5_cchelp scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=key 
----
type=SYSCALL msg=audit(12/11/2014 10:23:03.849:423) : arch=x86_64 syscall=keyctl success=no exit=-13(Permission denied) a0=0xf a1=0x14430235 a2=0x1517c a3=0x0 items=0 ppid=3860 pid=3951 auid=unset uid=kdcuser2 gid=rpattath euid=kdcuser2 suid=kdcuser2 fsuid=kdcuser2 egid=rpattath sgid=rpattath fsgid=rpattath tty=tty2 ses=unset comm=pam_krb5_cchelp exe=/usr/lib64/security/pam_krb5/pam_krb5_cchelper subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/11/2014 10:23:03.849:423) : avc:  denied  { setattr } for  pid=3951 comm=pam_krb5_cchelp scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=key 
----
type=SYSCALL msg=audit(12/11/2014 10:23:03.850:424) : arch=x86_64 syscall=keyctl success=no exit=-13(Permission denied) a0=0xf a1=0x14430235 a2=0x1517c a3=0x0 items=0 ppid=3860 pid=3951 auid=unset uid=kdcuser2 gid=rpattath euid=kdcuser2 suid=kdcuser2 fsuid=kdcuser2 egid=rpattath sgid=rpattath fsgid=rpattath tty=tty2 ses=unset comm=pam_krb5_cchelp exe=/usr/lib64/security/pam_krb5/pam_krb5_cchelper subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/11/2014 10:23:03.850:424) : avc:  denied  { setattr } for  pid=3951 comm=pam_krb5_cchelp scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=key 
----
type=SYSCALL msg=audit(12/11/2014 14:36:58.025:451) : arch=x86_64 syscall=keyctl success=no exit=-13(Permission denied) a0=0xf a1=0x2545ed37 a2=0x1517a a3=0x0 items=0 ppid=5085 pid=5117 auid=unset uid=kdcuser2 gid=rpattath euid=kdcuser2 suid=kdcuser2 fsuid=kdcuser2 egid=rpattath sgid=rpattath fsgid=rpattath tty=tty2 ses=unset comm=pam_krb5_cchelp exe=/usr/lib64/security/pam_krb5/pam_krb5_cchelper subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/11/2014 14:36:58.025:451) : avc:  denied  { setattr } for  pid=5117 comm=pam_krb5_cchelp scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=key 
----
type=SYSCALL msg=audit(12/11/2014 14:36:58.025:452) : arch=x86_64 syscall=keyctl success=no exit=-13(Permission denied) a0=0xf a1=0x2545ed37 a2=0x1517a a3=0x0 items=0 ppid=5085 pid=5117 auid=unset uid=kdcuser2 gid=rpattath euid=kdcuser2 suid=kdcuser2 fsuid=kdcuser2 egid=rpattath sgid=rpattath fsgid=rpattath tty=tty2 ses=unset comm=pam_krb5_cchelp exe=/usr/lib64/security/pam_krb5/pam_krb5_cchelper subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/11/2014 14:36:58.025:452) : avc:  denied  { setattr } for  pid=5117 comm=pam_krb5_cchelp scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=key 
----
type=SYSCALL msg=audit(12/11/2014 14:36:58.025:453) : arch=x86_64 syscall=keyctl success=no exit=-13(Permission denied) a0=0xf a1=0x2545ed37 a2=0x1517a a3=0x0 items=0 ppid=5085 pid=5117 auid=unset uid=kdcuser2 gid=rpattath euid=kdcuser2 suid=kdcuser2 fsuid=kdcuser2 egid=rpattath sgid=rpattath fsgid=rpattath tty=tty2 ses=unset comm=pam_krb5_cchelp exe=/usr/lib64/security/pam_krb5/pam_krb5_cchelper subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/11/2014 14:36:58.025:453) : avc:  denied  { setattr } for  pid=5117 comm=pam_krb5_cchelp scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=key 
----
type=SYSCALL msg=audit(12/11/2014 14:36:58.026:454) : arch=x86_64 syscall=keyctl success=no exit=-13(Permission denied) a0=0xf a1=0x2545ed37 a2=0x1517a a3=0x0 items=0 ppid=5085 pid=5117 auid=unset uid=kdcuser2 gid=rpattath euid=kdcuser2 suid=kdcuser2 fsuid=kdcuser2 egid=rpattath sgid=rpattath fsgid=rpattath tty=tty2 ses=unset comm=pam_krb5_cchelp exe=/usr/lib64/security/pam_krb5/pam_krb5_cchelper subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/11/2014 14:36:58.026:454) : avc:  denied  { setattr } for  pid=5117 comm=pam_krb5_cchelp scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=key

Comment 7 Miroslav Grepl 2014-12-12 16:19:53 UTC

We allow 

xserver_rw_xdm_keys(local_login_t)

If you add a local policy, does it work then?

Comment 8 Roshni 2014-12-17 15:03:03 UTC

It does seem to be working after adding a local policy.

Comment 9 Milos Malik 2014-12-17 15:08:16 UTC

Does it work when SELinux is permissive?

# setenforce 0

Do you see any AVCs?

# ausearch -m avc -m user_avc -m selinux_err -i -ts today

Comment 10 Roshni 2014-12-17 16:11:24 UTC

On setenforce 0, I am able to login but 

# ausearch -m avc -m user_avc -m selinux_err -i -ts today

type=USER_AVC msg=audit(12/17/2014 11:07:59.934:535) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=0)  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=SYSCALL msg=audit(12/17/2014 11:08:14.937:542) : arch=x86_64 syscall=keyctl success=yes exit=0 a0=0xf a1=0x177c38cc a2=0x1517f a3=0x0 items=0 ppid=8784 pid=10455 auid=unset uid=kdcuser2 gid=rpattath euid=kdcuser2 suid=kdcuser2 fsuid=kdcuser2 egid=rpattath sgid=rpattath fsgid=rpattath tty=tty2 ses=unset comm=pam_krb5_cchelp exe=/usr/lib64/security/pam_krb5/pam_krb5_cchelper subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/17/2014 11:08:14.937:542) : avc:  denied  { setattr } for  pid=10455 comm=pam_krb5_cchelp scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=key

Comment 11 Milos Malik 2014-12-18 09:59:02 UTC

I'm interested whether the scenario triggers other AVCs when we add following policy module. Be aware this is a temporary workaround:

# cat mypolicy.te 
policy_module(mypolicy,1.0)

require {
    type local_login_t;
    type xdm_t;
    class key { setattr };
}

allow local_login_t xdm_t : key { setattr };

# make -f /usr/share/selinux/devel/Makefile 
Compiling targeted mypolicy module
/usr/bin/checkmodule:  loading policy configuration from tmp/mypolicy.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 17) to tmp/mypolicy.mod
Creating targeted mypolicy.pp policy package
rm tmp/mypolicy.mod.fc tmp/mypolicy.mod
# semodule -i mypolicy.pp
#

Comment 12 Roshni 2014-12-18 15:37:52 UTC

This is what I tried:

created mypolicy.te as explained in comment 11

# ausearch -m AVC --comm pam_krb5_cchelp | audit2allow -M mypolicy

# semodule -i mypolicy.pp

# semodule -R

# getenforce
Enforcing

When trying to login:

[root@dhcp129-48 ~]# ausearch -m avc -m user_avc -m selinux_err -i -ts today
----
type=USER_AVC msg=audit(12/18/2014 10:27:17.817:1314) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=2)  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(12/18/2014 10:27:17.817:1315) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=3)  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 

If the steps are not what you were asking me to perform, please provide detailed steps on what commands needs to be executed and what packages need to be installed?

Comment 13 Milos Malik 2014-12-18 15:46:48 UTC

Your steps were correct. There is no need to create another  policy module.

Comment 14 Miroslav Grepl 2015-01-09 13:32:24 UTC

commit d760fe4adc47c10fb51f11e9a394364ff9521295
Author: Miroslav Grepl <mgrepl>
Date:   Fri Jan 9 14:30:15 2015 +0100

    Update xserver_rw_xdm_keys() interface to have 'setattr'.

Comment 16 Roshni 2015-01-12 21:37:42 UTC

Using selinux-policy-3.13.1-15.el7 verified as below:

Enroll the smartcard with a kerberos user. Turn on ocsp on pam_pkcs11.conf. Login using the smartcard through tty. Successfully logged in and no AVC message in /var/log/audit/audit.log

Comment 18 errata-xmlrpc 2015-03-05 10:47:45 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0458.html

Note You need to log in before you can comment on or make changes to this bug.