Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1172291

Summary: Unable to login using smartcard with kerberos user through virtual terminal when selinux in enforcing mode
Product: Red Hat Enterprise Linux 7 Reporter: Roshni <rpattath>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.1CC: lmiksik, lvrabec, mgrepl, mmalik, plautrba, pvrabec, rpattath
Target Milestone: rcKeywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-15.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-05 10:47:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
/var/log/messages content none

Description Roshni 2014-12-09 19:16:46 UTC 
Created attachment 966436 [details]
/var/log/messages content

Description of problem:
Unable to login using smartcard with kerberos user through virtual terminal when selinux in enforcing mode

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-12.el7

How reproducible:
always

Steps to Reproduce:
1. selinux should be in enforcing mode
2. Go to the virtual terminal mode
3. Insert the smartcard with the kerberos user
4. Provide the smart card username and pin when prompted for.

Actual results:
"System Error" message is shown

Expected results:
login attempt should be successful

Additional info:

/var/log/messages shows messages in the attachement. Does not see this issue in Permissive mode
Comment 2 Roshni 2014-12-09 21:21:27 UTC 
Seeing the issue described in comment 1 only on a machine that has been upgraded from RHEL 7.0 to RHEL 7.1. On a machine with a fresh installation of RHEL 7.1 I do not see the issue.
Comment 3 Miroslav Grepl 2014-12-10 07:25:32 UTC 
Could you attach raw AVC msgs from /var/log/audit/audit.log?

It looks you also need to run

/sbin/restorecon -v /usr/lib64/security/pam_krb5/pam_krb5_cchelper
Comment 4 Milos Malik 2014-12-10 07:52:03 UTC 
# ausearch -m avc -m user_avc -m selinux_err -i -ts today
Comment 5 Roshni 2014-12-10 21:27:34 UTC 
Not seeing the issue on machine installed with relaeased RHEL 7.0 and upgraded to RHEL 7.1
Comment 6 Roshni 2014-12-11 19:44:17 UTC 
Noticed this again:

SELinux is preventing /usr/lib64/security/pam_krb5/pam_krb5_cchelper from setattr access on the key Unknown.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that pam_krb5_cchelper should be allowed setattr access on the Unknown key by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep pam_krb5_cchelp /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:local_login_t:s0-s0:c0.c1023
Target Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Objects                Unknown [ key ]
Source                        pam_krb5_cchelp
Source Path                   /usr/lib64/security/pam_krb5/pam_krb5_cchelper
Port                          <Unknown>
Host                          dhcp129-48.rdu.redhat.com
Source RPM Packages           pam_krb5-2.4.8-4.el7.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-13.el7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     dhcp129-48.rdu.redhat.com
Platform                      Linux dhcp129-48.rdu.redhat.com
                              3.10.0-215.el7.x86_64 #1 SMP Mon Dec 8 10:19:09
                              EST 2014 x86_64 x86_64
Alert Count                   8
First Seen                    2014-12-10 15:51:23 EST
Last Seen                     2014-12-11 14:36:58 EST
Local ID                      bdfc1dcb-4469-419f-bed3-b7f79ae13d22

Raw Audit Messages
type=AVC msg=audit(1418326618.26:454): avc:  denied  { setattr } for  pid=5117 comm="pam_krb5_cchelp" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=key


type=SYSCALL msg=audit(1418326618.26:454): arch=x86_64 syscall=keyctl success=no exit=EACCES a0=f a1=2545ed37 a2=1517a a3=0 items=0 ppid=5085 pid=5117 auid=4294967295 uid=1001 gid=1000 euid=1001 suid=1001 fsuid=1001 egid=1000 sgid=1000 fsgid=1000 tty=tty2 ses=4294967295 comm=pam_krb5_cchelp exe=/usr/lib64/security/pam_krb5/pam_krb5_cchelper subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)

Hash: pam_krb5_cchelp,local_login_t,xdm_t,key,setattr


[root@dhcp129-48 ~]# ausearch -m avc -m user_avc -m selinux_err -i -ts today
----
type=SYSCALL msg=audit(12/11/2014 10:22:08.160:398) : arch=x86_64 syscall=keyctl success=no exit=-13(Permission denied) a0=0xf a1=0x14430235 a2=0x1517b a3=0x0 items=0 ppid=3711 pid=3766 auid=unset uid=kdcuser2 gid=rpattath euid=kdcuser2 suid=kdcuser2 fsuid=kdcuser2 egid=rpattath sgid=rpattath fsgid=rpattath tty=tty2 ses=unset comm=pam_krb5_cchelp exe=/usr/lib64/security/pam_krb5/pam_krb5_cchelper subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/11/2014 10:22:08.160:398) : avc:  denied  { setattr } for  pid=3766 comm=pam_krb5_cchelp scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=key 
----
type=SYSCALL msg=audit(12/11/2014 10:22:08.161:399) : arch=x86_64 syscall=keyctl success=no exit=-13(Permission denied) a0=0xf a1=0x14430235 a2=0x1517b a3=0x0 items=0 ppid=3711 pid=3766 auid=unset uid=kdcuser2 gid=rpattath euid=kdcuser2 suid=kdcuser2 fsuid=kdcuser2 egid=rpattath sgid=rpattath fsgid=rpattath tty=tty2 ses=unset comm=pam_krb5_cchelp exe=/usr/lib64/security/pam_krb5/pam_krb5_cchelper subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/11/2014 10:22:08.161:399) : avc:  denied  { setattr } for  pid=3766 comm=pam_krb5_cchelp scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=key 
----
type=SYSCALL msg=audit(12/11/2014 10:22:08.161:400) : arch=x86_64 syscall=keyctl success=no exit=-13(Permission denied) a0=0xf a1=0x14430235 a2=0x1517b a3=0x0 items=0 ppid=3711 pid=3766 auid=unset uid=kdcuser2 gid=rpattath euid=kdcuser2 suid=kdcuser2 fsuid=kdcuser2 egid=rpattath sgid=rpattath fsgid=rpattath tty=tty2 ses=unset comm=pam_krb5_cchelp exe=/usr/lib64/security/pam_krb5/pam_krb5_cchelper subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/11/2014 10:22:08.161:400) : avc:  denied  { setattr } for  pid=3766 comm=pam_krb5_cchelp scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=key 
----
type=SYSCALL msg=audit(12/11/2014 10:22:08.161:401) : arch=x86_64 syscall=keyctl success=no exit=-13(Permission denied) a0=0xf a1=0x14430235 a2=0x1517b a3=0x0 items=0 ppid=3711 pid=3766 auid=unset uid=kdcuser2 gid=rpattath euid=kdcuser2 suid=kdcuser2 fsuid=kdcuser2 egid=rpattath sgid=rpattath fsgid=rpattath tty=tty2 ses=unset comm=pam_krb5_cchelp exe=/usr/lib64/security/pam_krb5/pam_krb5_cchelper subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/11/2014 10:22:08.161:401) : avc:  denied  { setattr } for  pid=3766 comm=pam_krb5_cchelp scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=key 
----
type=SYSCALL msg=audit(12/11/2014 10:23:03.849:421) : arch=x86_64 syscall=keyctl success=no exit=-13(Permission denied) a0=0xf a1=0x14430235 a2=0x1517c a3=0x0 items=0 ppid=3860 pid=3951 auid=unset uid=kdcuser2 gid=rpattath euid=kdcuser2 suid=kdcuser2 fsuid=kdcuser2 egid=rpattath sgid=rpattath fsgid=rpattath tty=tty2 ses=unset comm=pam_krb5_cchelp exe=/usr/lib64/security/pam_krb5/pam_krb5_cchelper subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/11/2014 10:23:03.849:421) : avc:  denied  { setattr } for  pid=3951 comm=pam_krb5_cchelp scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=key 
----
type=SYSCALL msg=audit(12/11/2014 10:23:03.849:422) : arch=x86_64 syscall=keyctl success=no exit=-13(Permission denied) a0=0xf a1=0x14430235 a2=0x1517c a3=0x0 items=0 ppid=3860 pid=3951 auid=unset uid=kdcuser2 gid=rpattath euid=kdcuser2 suid=kdcuser2 fsuid=kdcuser2 egid=rpattath sgid=rpattath fsgid=rpattath tty=tty2 ses=unset comm=pam_krb5_cchelp exe=/usr/lib64/security/pam_krb5/pam_krb5_cchelper subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/11/2014 10:23:03.849:422) : avc:  denied  { setattr } for  pid=3951 comm=pam_krb5_cchelp scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=key 
----
type=SYSCALL msg=audit(12/11/2014 10:23:03.849:423) : arch=x86_64 syscall=keyctl success=no exit=-13(Permission denied) a0=0xf a1=0x14430235 a2=0x1517c a3=0x0 items=0 ppid=3860 pid=3951 auid=unset uid=kdcuser2 gid=rpattath euid=kdcuser2 suid=kdcuser2 fsuid=kdcuser2 egid=rpattath sgid=rpattath fsgid=rpattath tty=tty2 ses=unset comm=pam_krb5_cchelp exe=/usr/lib64/security/pam_krb5/pam_krb5_cchelper subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/11/2014 10:23:03.849:423) : avc:  denied  { setattr } for  pid=3951 comm=pam_krb5_cchelp scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=key 
----
type=SYSCALL msg=audit(12/11/2014 10:23:03.850:424) : arch=x86_64 syscall=keyctl success=no exit=-13(Permission denied) a0=0xf a1=0x14430235 a2=0x1517c a3=0x0 items=0 ppid=3860 pid=3951 auid=unset uid=kdcuser2 gid=rpattath euid=kdcuser2 suid=kdcuser2 fsuid=kdcuser2 egid=rpattath sgid=rpattath fsgid=rpattath tty=tty2 ses=unset comm=pam_krb5_cchelp exe=/usr/lib64/security/pam_krb5/pam_krb5_cchelper subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/11/2014 10:23:03.850:424) : avc:  denied  { setattr } for  pid=3951 comm=pam_krb5_cchelp scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=key 
----
type=SYSCALL msg=audit(12/11/2014 14:36:58.025:451) : arch=x86_64 syscall=keyctl success=no exit=-13(Permission denied) a0=0xf a1=0x2545ed37 a2=0x1517a a3=0x0 items=0 ppid=5085 pid=5117 auid=unset uid=kdcuser2 gid=rpattath euid=kdcuser2 suid=kdcuser2 fsuid=kdcuser2 egid=rpattath sgid=rpattath fsgid=rpattath tty=tty2 ses=unset comm=pam_krb5_cchelp exe=/usr/lib64/security/pam_krb5/pam_krb5_cchelper subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/11/2014 14:36:58.025:451) : avc:  denied  { setattr } for  pid=5117 comm=pam_krb5_cchelp scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=key 
----
type=SYSCALL msg=audit(12/11/2014 14:36:58.025:452) : arch=x86_64 syscall=keyctl success=no exit=-13(Permission denied) a0=0xf a1=0x2545ed37 a2=0x1517a a3=0x0 items=0 ppid=5085 pid=5117 auid=unset uid=kdcuser2 gid=rpattath euid=kdcuser2 suid=kdcuser2 fsuid=kdcuser2 egid=rpattath sgid=rpattath fsgid=rpattath tty=tty2 ses=unset comm=pam_krb5_cchelp exe=/usr/lib64/security/pam_krb5/pam_krb5_cchelper subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/11/2014 14:36:58.025:452) : avc:  denied  { setattr } for  pid=5117 comm=pam_krb5_cchelp scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=key 
----
type=SYSCALL msg=audit(12/11/2014 14:36:58.025:453) : arch=x86_64 syscall=keyctl success=no exit=-13(Permission denied) a0=0xf a1=0x2545ed37 a2=0x1517a a3=0x0 items=0 ppid=5085 pid=5117 auid=unset uid=kdcuser2 gid=rpattath euid=kdcuser2 suid=kdcuser2 fsuid=kdcuser2 egid=rpattath sgid=rpattath fsgid=rpattath tty=tty2 ses=unset comm=pam_krb5_cchelp exe=/usr/lib64/security/pam_krb5/pam_krb5_cchelper subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/11/2014 14:36:58.025:453) : avc:  denied  { setattr } for  pid=5117 comm=pam_krb5_cchelp scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=key 
----
type=SYSCALL msg=audit(12/11/2014 14:36:58.026:454) : arch=x86_64 syscall=keyctl success=no exit=-13(Permission denied) a0=0xf a1=0x2545ed37 a2=0x1517a a3=0x0 items=0 ppid=5085 pid=5117 auid=unset uid=kdcuser2 gid=rpattath euid=kdcuser2 suid=kdcuser2 fsuid=kdcuser2 egid=rpattath sgid=rpattath fsgid=rpattath tty=tty2 ses=unset comm=pam_krb5_cchelp exe=/usr/lib64/security/pam_krb5/pam_krb5_cchelper subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/11/2014 14:36:58.026:454) : avc:  denied  { setattr } for  pid=5117 comm=pam_krb5_cchelp scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=key
Comment 7 Miroslav Grepl 2014-12-12 16:19:53 UTC 
We allow 

xserver_rw_xdm_keys(local_login_t)

If you add a local policy, does it work then?
Comment 8 Roshni 2014-12-17 15:03:03 UTC 
It does seem to be working after adding a local policy.
Comment 9 Milos Malik 2014-12-17 15:08:16 UTC 
Does it work when SELinux is permissive?

# setenforce 0

Do you see any AVCs?

# ausearch -m avc -m user_avc -m selinux_err -i -ts today
Comment 10 Roshni 2014-12-17 16:11:24 UTC 
On setenforce 0, I am able to login but 

# ausearch -m avc -m user_avc -m selinux_err -i -ts today

type=USER_AVC msg=audit(12/17/2014 11:07:59.934:535) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=0)  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=SYSCALL msg=audit(12/17/2014 11:08:14.937:542) : arch=x86_64 syscall=keyctl success=yes exit=0 a0=0xf a1=0x177c38cc a2=0x1517f a3=0x0 items=0 ppid=8784 pid=10455 auid=unset uid=kdcuser2 gid=rpattath euid=kdcuser2 suid=kdcuser2 fsuid=kdcuser2 egid=rpattath sgid=rpattath fsgid=rpattath tty=tty2 ses=unset comm=pam_krb5_cchelp exe=/usr/lib64/security/pam_krb5/pam_krb5_cchelper subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/17/2014 11:08:14.937:542) : avc:  denied  { setattr } for  pid=10455 comm=pam_krb5_cchelp scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=key
Comment 11 Milos Malik 2014-12-18 09:59:02 UTC 
I'm interested whether the scenario triggers other AVCs when we add following policy module. Be aware this is a temporary workaround:

# cat mypolicy.te 
policy_module(mypolicy,1.0)

require {
    type local_login_t;
    type xdm_t;
    class key { setattr };
}

allow local_login_t xdm_t : key { setattr };

# make -f /usr/share/selinux/devel/Makefile 
Compiling targeted mypolicy module
/usr/bin/checkmodule:  loading policy configuration from tmp/mypolicy.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 17) to tmp/mypolicy.mod
Creating targeted mypolicy.pp policy package
rm tmp/mypolicy.mod.fc tmp/mypolicy.mod
# semodule -i mypolicy.pp
#
Comment 12 Roshni 2014-12-18 15:37:52 UTC 
This is what I tried:

created mypolicy.te as explained in comment 11

# ausearch -m AVC --comm pam_krb5_cchelp | audit2allow -M mypolicy

# semodule -i mypolicy.pp

# semodule -R

# getenforce
Enforcing

When trying to login:

[root@dhcp129-48 ~]# ausearch -m avc -m user_avc -m selinux_err -i -ts today
----
type=USER_AVC msg=audit(12/18/2014 10:27:17.817:1314) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=2)  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(12/18/2014 10:27:17.817:1315) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=3)  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 

If the steps are not what you were asking me to perform, please provide detailed steps on what commands needs to be executed and what packages need to be installed?
Comment 13 Milos Malik 2014-12-18 15:46:48 UTC 
Your steps were correct. There is no need to create another  policy module.
Comment 14 Miroslav Grepl 2015-01-09 13:32:24 UTC 
commit d760fe4adc47c10fb51f11e9a394364ff9521295
Author: Miroslav Grepl <mgrepl>
Date:   Fri Jan 9 14:30:15 2015 +0100

    Update xserver_rw_xdm_keys() interface to have 'setattr'.
Comment 16 Roshni 2015-01-12 21:37:42 UTC 
Using selinux-policy-3.13.1-15.el7 verified as below:

Enroll the smartcard with a kerberos user. Turn on ocsp on pam_pkcs11.conf. Login using the smartcard through tty. Successfully logged in and no AVC message in /var/log/audit/audit.log
Comment 18 errata-xmlrpc 2015-03-05 10:47:45 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0458.html