1769532 – saslauthd unable to create tmp file

Bug 1769532 - saslauthd unable to create tmp file

Summary: saslauthd unable to create tmp file

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	31
Hardware:	Unspecified
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Patrik Koncity
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-11-06 19:45 UTC by Marek Greško
Modified:	2020-02-07 01:51 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2020-02-07 01:51:05 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Marek Greško 2019-11-06 19:45:17 UTC

Description of problem:
The saslauthd process is unable to create tmp files in /var/tmp.

I got:

nov 06 20:39:13 hostname audit[19684]: AVC avc:  denied  { create } for  pid=19684 comm="saslauthd" name="host_324" scontext=system_u:system_r:saslauthd_t:s0 >
nov 06 20:39:13 hostname saslauthd[19684]: auth_krb5: krb5_rd_req(): Cannot create replay cache file /var/tmp/host_324: Permission denied (-1765328215)

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.14.4-39.fc31.noarch


Actual results:
File creation denied.

Expected results:
File creation allowed.

Comment 1 Lukas Vrabec 2019-11-06 20:03:34 UTC

Hi Marek, 

The SELinux denial is not complete. Could you please attach output of: 

# ausearch -m AVC | grep saslauthd_t

Thanks,
Lukas.

Comment 2 Marek Greško 2019-11-07 16:41:15 UTC

Hello,

I workarounded it by running:

semanage fcontext -a -t 'krb5_host_rcache_t' /var/tmp/host_324

where 324 is an uid of user saslauth.

Output of ausearch -m AVC | grep saslauthd_t:

type=AVC msg=audit(1572981408.479:1703): avc:  denied  { create } for  pid=1346                                                                                         comm="saslauthd" name="host_324" scontext=system_u:system_r:saslauthd_t:s0 tcont                                                                                        ext=system_u:object_r:tmp_t:s0 tclass=file permissive=0                                                                                                                 
type=AVC msg=audit(1572981412.298:1706): avc:  denied  { create } for  pid=1347                                                                                         comm="saslauthd" name="host_324" scontext=system_u:system_r:saslauthd_t:s0 tcont                                                                                        ext=system_u:object_r:tmp_t:s0 tclass=file permissive=0                                                                                                                 
type=AVC msg=audit(1572981417.713:1709): avc:  denied  { create } for  pid=1348                                                                                         comm="saslauthd" name="host_324" scontext=system_u:system_r:saslauthd_t:s0 tcont                                                                                        ext=system_u:object_r:tmp_t:s0 tclass=file permissive=0                                                                                                                 
type=AVC msg=audit(1572981423.740:1732): avc:  denied  { create } for  pid=1344                                                                                         comm="saslauthd" name="host_324" scontext=system_u:system_r:saslauthd_t:s0 tcont                                                                                        ext=system_u:object_r:tmp_t:s0 tclass=file permissive=0                                                                                                                 
type=AVC msg=audit(1572981589.765:1759): avc:  denied  { create } for  pid=1349                                                                                         comm="saslauthd" name="host_324" scontext=system_u:system_r:saslauthd_t:s0 tcont                                                                                        ext=system_u:object_r:tmp_t:s0 tclass=file permissive=0                                                                                                                 
type=AVC msg=audit(1572981605.307:1760): avc:  denied  { create } for  pid=1346                                                                                         comm="saslauthd" name="host_324" scontext=system_u:system_r:saslauthd_t:s0 tcont                                                                                        ext=system_u:object_r:tmp_t:s0 tclass=file permissive=0                                                                                                                 
type=AVC msg=audit(1572981906.124:1769): avc:  denied  { create } for  pid=1347                                                                                         comm="saslauthd" name="host_324" scontext=system_u:system_r:saslauthd_t:s0 tcont                                                                                        ext=system_u:object_r:tmp_t:s0 tclass=file permissive=0                                                                                                                 
type=AVC msg=audit(1572981955.219:1792): avc:  denied  { create } for  pid=23763                                                                                         comm="saslauthd" name="host_324" scontext=system_u:system_r:saslauthd_t:s0 tcon                                                                                        text=system_u:object_r:tmp_t:s0 tclass=file permissive=0                                                                                                                
type=AVC msg=audit(1572982063.766:1825): avc:  denied  { create } for  pid=23814                                                                                         comm="saslauthd" name="host_324" scontext=system_u:system_r:saslauthd_t:s0 tcon                                                                                        text=system_u:object_r:tmp_t:s0 tclass=file permissive=0                                                                                                                
type=AVC msg=audit(1572982205.219:1838): avc:  denied  { create } for  pid=23815                                                                                         comm="saslauthd" name="host_324" scontext=system_u:system_r:saslauthd_t:s0 tcon                                                                                        text=system_u:object_r:tmp_t:s0 tclass=file permissive=0                                                                                                                
type=AVC msg=audit(1572982229.790:1863): avc:  denied  { create } for  pid=23816                                                                                         comm="saslauthd" name="host_324" scontext=system_u:system_r:saslauthd_t:s0 tcon                                                                                        text=system_u:object_r:tmp_t:s0 tclass=file permissive=0                                                                                                                
type=AVC msg=audit(1572982397.611:1891): avc:  denied  { create } for  pid=24072                                                                                         comm="saslauthd" name="host_324" scontext=system_u:system_r:saslauthd_t:s0 tcon                                                                                        text=system_u:object_r:tmp_t:s0 tclass=file permissive=0                                                                                                                
type=AVC msg=audit(1572982506.262:1899): avc:  denied  { create } for  pid=24074                                                                                         comm="saslauthd" name="host_324" scontext=system_u:system_r:saslauthd_t:s0 tcon                                                                                        text=system_u:object_r:tmp_t:s0 tclass=file permissive=0                             
type=AVC msg=audit(1572982618.832:1920): avc:  denied  { create } for  pid=24071                                                                                         comm="saslauthd" name="host_324" scontext=system_u:system_r:saslauthd_t:s0 tcon                                                                                        text=system_u:object_r:tmp_t:s0 tclass=file permissive=0                                                                                                                
type=AVC msg=audit(1573063104.482:2120): avc:  denied  { create } for  pid=11779                                                                                         comm="saslauthd" name="host_324" scontext=system_u:system_r:saslauthd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=0
type=AVC msg=audit(1573063108.702:2121): avc:  denied  { create } for  pid=11780 comm="saslauthd" name="host_324" scontext=system_u:system_r:saslauthd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=0
type=AVC msg=audit(1573063113.043:2122): avc:  denied  { create } for  pid=11781 comm="saslauthd" name="host_324" scontext=system_u:system_r:saslauthd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=0
type=AVC msg=audit(1573063204.841:2123): avc:  denied  { create } for  pid=11778 comm="saslauthd" name="host_324" scontext=system_u:system_r:saslauthd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=0
type=AVC msg=audit(1573063711.556:2190): avc:  denied  { create } for  pid=12072 comm="saslauthd" name="host_324" scontext=system_u:system_r:saslauthd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=0
type=AVC msg=audit(1573063715.752:2192): avc:  denied  { create } for  pid=12074 comm="saslauthd" name="host_324" scontext=system_u:system_r:saslauthd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=0
type=AVC msg=audit(1573063720.208:2193): avc:  denied  { create } for  pid=12071 comm="saslauthd" name="host_324" scontext=system_u:system_r:saslauthd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=0
type=AVC msg=audit(1573068943.565:3743): avc:  denied  { create } for  pid=19686 comm="saslauthd" name="host_324" scontext=system_u:system_r:saslauthd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=0
type=AVC msg=audit(1573068947.305:3744): avc:  denied  { create } for  pid=19685 comm="saslauthd" name="host_324" scontext=system_u:system_r:saslauthd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=0
type=AVC msg=audit(1573068951.262:3745): avc:  denied  { create } for  pid=19687 comm="saslauthd" name="host_324" scontext=system_u:system_r:saslauthd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=0
type=AVC msg=audit(1573069153.892:3846): avc:  denied  { create } for  pid=19684 comm="saslauthd" name="host_324" scontext=system_u:system_r:saslauthd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=0
type=AVC msg=audit(1573069205.275:3847): avc:  denied  { create } for  pid=19688 comm="saslauthd" name="host_324" scontext=system_u:system_r:saslauthd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=0
type=AVC msg=audit(1573069286.729:3849): avc:  denied  { create } for  pid=19686 comm="saslauthd" name="host_324" scontext=system_u:system_r:saslauthd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=0
type=AVC msg=audit(1573069505.692:3856): avc:  denied  { create } for  pid=19685 comm="saslauthd" name="host_324" scontext=system_u:system_r:saslauthd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=0
type=AVC msg=audit(1573069559.763:3860): avc:  denied  { create } for  pid=19687 comm="saslauthd" name="host_324" scontext=system_u:system_r:saslauthd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=1
type=AVC msg=audit(1573069559.764:3861): avc:  denied  { write } for  pid=19687 comm="saslauthd" path="/var/tmp/host_324" dev="dm-2" ino=262193 scontext=system_u:system_r:saslauthd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=1
type=AVC msg=audit(1573070434.304:3884): avc:  denied  { write } for  pid=19684 comm="saslauthd" name="host_324" dev="dm-2" ino=262193 scontext=system_u:system_r:saslauthd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=1


Marek

Comment 3 Lukas Vrabec 2020-01-30 16:27:38 UTC

commit 1d54a86ab1faf8b1db9a775757c6baa780a2a4f7 (HEAD -> rawhide, origin/rawhide, origin/HEAD)
Author: Patrik Koncity <pkoncity>
Date:   Wed Jan 29 17:34:50 2020 +0100

    Allow saslauthd_t filetrans variable files for /tmp directory
    
    Saslauthd service need create files with variable name in /tmp dir and
    have perm to create file only with specific name
    Change filetrans pattern for domain saslauthd_t, then can create file
    with variable names in \tmp dir with label krb5_host_rcache_t
    Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1769532

Comment 4 Fedora Update System 2020-02-05 10:55:04 UTC

FEDORA-2020-4824687c8c has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2020-4824687c8c

Comment 5 Fedora Update System 2020-02-06 01:12:06 UTC

selinux-policy-3.14.4-46.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-4824687c8c

Comment 6 Fedora Update System 2020-02-07 01:51:05 UTC

selinux-policy-3.14.4-46.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.