Bug 170301 - Login via Kerberos and NFS4/krb5i
Login via Kerberos and NFS4/krb5i
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
4
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-10-10 12:36 EDT by Joachim Selke
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version: 1.27.1-2.11
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-10-31 14:14:27 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Joachim Selke 2005-10-10 12:36:55 EDT
Description of problem:
I use a combination of Kerberos5 and LDAP on a server server to manage
authentication/authorization on clients. On the clients the /home directory is
mounted via NFS4/krb5i from the server.

In SELinux permissive mode everything works fine, but in enforcing mode users
are not able to access their home directories. The login is successful but
access to home directory is denied (username=selke, uid=10000):

Could not chdir to home directory /home/selke: Permission denied
-bash: /home/selke/.bash_profile: Permission denied
-bash-3.00$ quit
-bash: quit: command not found
-bash-3.00$ exit
logout
-bash: /home/selke/.bash_logout: Permission denied

During login I get several denied errors in /var/log/audit/audit.log:

type=USER_AUTH msg=audit(1128961167.368:21): user pid=2815 uid=0 auid=4294967295
msg='PAM authentication: user=selke exe="/usr/sbin/sshd"
(hostname=vpn6.mip.uni-hannover.de, addr=130.75.236.6, terminal=ssh result=Success)'
type=USER_ACCT msg=audit(1128961167.384:22): user pid=2815 uid=0 auid=4294967295
msg='PAM accounting: user=selke exe="/usr/sbin/sshd"
(hostname=vpn6.mip.uni-hannover.de, addr=130.75.236.6, terminal=ssh result=Success)'
type=LOGIN msg=audit(1128961167.424:23): login pid=2819 uid=0 old
auid=4294967295 new auid=10000
type=USER_START msg=audit(1128961167.424:24): user pid=2819 uid=0 auid=10000
msg='PAM session open: user=selke exe="/usr/sbin/sshd"
(hostname=vpn6.mip.uni-hannover.de, addr=130.75.236.6, terminal=ssh result=Success)'
type=CRED_REFR msg=audit(1128961167.428:25): user pid=2819 uid=0 auid=10000
msg='PAM setcred: user=selke exe="/usr/sbin/sshd"
(hostname=vpn6.mip.uni-hannover.de, addr=130.75.236.6, terminal=ssh result=Success)'
type=AVC msg=audit(1128961167.504:26): avc:  denied  { dac_override } for 
pid=1883 comm="rpc.gssd" capability=1 scontext=system_u:system_r:gssd_t
tcontext=system_u:system_r:gssd_t tclass=capability
type=AVC msg=audit(1128961167.504:26): avc:  denied  { dac_read_search } for 
pid=1883 comm="rpc.gssd" capability=2 scontext=system_u:system_r:gssd_t
tcontext=system_u:system_r:gssd_t tclass=capability
type=SYSCALL msg=audit(1128961167.504:26): arch=40000003 syscall=5 success=no
exit=-13 a0=9c4afe0 a1=8000 a2=0 a3=8000 items=1 pid=1883 auid=4294967295 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="rpc.gssd"
exe="/usr/sbin/rpc.gssd"
type=CWD msg=audit(1128961167.504:26):  cwd="/var/lib/nfs/rpc_pipefs/nfs"
type=PATH msg=audit(1128961167.504:26): item=0 name="/tmp/krb5cc_10000_gyxwqn"
flags=101  inode=6606226 dev=03:02 mode=0100600 ouid=10000 ogid=10000 rdev=00:00

(the last three messages are repeated several times)

In permissive mode the Kerberos credentials cache file /tmp/krb5cc_10000_gyxwqn
is created, but not in enforcing mode.

In /var/log/messages I get:

Oct 10 18:19:27 pupkin sshd(pam_unix)[2819]: session opened for user selke by
(uid=0)
Oct 10 18:19:27 pupkin rpc.gssd[1883]: WARNING: error from gss_acquire_cred for
user with uid 10000 (Credentials cache permissions incorrect)
Oct 10 18:19:27 pupkin rpc.gssd[1883]: WARNING: Failed to create krb5 context
for user with uid 10000 for server obelix.thi.uni-hannover.de

(the last two messages are repeated several times)

If I switch to SELinux permissive mode then everything works fine. And (this is
strange) it keeps working when I switch to enforcing mode, logoff and login
again. But after reboot the problem occurs again.


Version-Release number of selected component (if applicable):
selinux-policy-targeted.noarch-1.27.1-2.3
Comment 1 Daniel Walsh 2005-10-17 14:14:30 EDT
Fixed in selinux-policy-*-1.27.1-2.6
Comment 2 Joachim Selke 2005-10-17 18:07:25 EDT
The bug is not fixed yet. I updated a few minutes ago to
selinux-policy-targeted-1.27.1-2.6 and did a complete relabeling of the
filesystem. Here is the result:

The login is successful, but gives the following errors:

Could not chdir to home directory /home/selke: Permission denied
-bash: /home/selke/.bash_profile: Permission denied


/var/log/audit/audit.log says:

type=AVC msg=audit(1129586483.447:34): avc:  denied  { write } for  pid=1903
comm="rpc.gssd" name="krb5cc_10000_8OnCut" dev=hda2 ino=6606226
scontext=system_u:system_r:gssd_t tcontext=system_u:object_r:tmp_t tclass=file
type=SYSCALL msg=audit(1129586483.447:34): arch=40000003 syscall=5 success=no
exit=-13 a0=96b6318 a1=8002 a2=0 a3=8002 items=1 pid=1903 auid=4294967295 uid=0
gid=0 euid=10000 suid=0 fsuid=10000 egid=0 sgid=0 fsgid=0 comm="rpc.gssd"
exe="/usr/sbin/rpc.gssd"
type=CWD msg=audit(1129586483.447:34):  cwd="/var/lib/nfs/rpc_pipefs/nfs"
type=PATH msg=audit(1129586483.447:34): item=0 name="/tmp/krb5cc_10000_8OnCut"
flags=101  inode=6606226 dev=03:02 mode=0100600 ouid=10000 ogid=10000 rdev=00:00

These messages are repeated several times.


/var/log/messages:

Oct 18 00:01:23 pupkin rpc.gssd[1903]: WARNING: Failed to create krb5 context
for user with uid 10000 for server obelix.thi.uni-hannover.de

This message is repeated several times too.
Comment 3 Daniel Walsh 2005-10-17 19:46:30 EDT
Can you remove krb5cc_10000_8OnCut and then try again?

Dan
Comment 4 Joachim Selke 2005-10-18 12:18:11 EDT
I did the following:
  1. delete all files in /tmp
  2. create /.autorelabel
  3. reboot machine
  4. login as "selke" (uid 10000)

The result is the same as mentioned in my last comment. The only difference is
the file name, now it is krb5cc_10000_emxaFS. But this is not remarkable because
the name part after the uid seems to be a random sequence.
Comment 5 Joachim Selke 2005-10-31 12:58:03 EST
selinux-policy-targeted-1.27.1-2.11 fixed the bug. Thank you! :-)

Note You need to log in before you can comment on or make changes to this bug.