Bug 1838018 - sshd cannot write into reply cache (/var/tmp/krb5_0.rcache2) due to security context
Summary: sshd cannot write into reply cache (/var/tmp/krb5_0.rcache2) due to security ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 32
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-05-20 11:30 UTC by Filip Dvorak
Modified: 2020-07-02 01:11 UTC (History)
13 users (show)

Fixed In Version: selinux-policy-3.14.5-41.fc32
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-07-02 01:11:54 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Filip Dvorak 2020-05-20 11:30:06 UTC
Description of problem:
After the installation of krb5 I added a new user into a krb5 db via the following command "kadmin -p root/admin -w password -q 'ank -pw password alice". The command finished successfully and the reply cache file was created. The problem is that this file had security context: system_u:object_r:kadmind_tmp_t:s0. This is a problem when the ssh via krb5-GSSAPI is used because sshd service cannot write into this file.  

Version-Release number of selected component (if applicable):
krb5-1.18-1.fc32.x86_64

How reproducible:
always

Steps to Reproduce:
1. Install and configure krb5kdc and kadmin

hostnamectl set-hostname kerberos.example.com
sed -i "1i 127.0.0.1 kerberos.example.com" /etc/hosts
echo -ne '[realms]\nEXAMPLE.COM = {\n    kdc = kerberos.example.com\n    admin_server = kerberos.example.com\n}\n\n[domain_realm]\n.example.com = EXAMPLE.COM\nexample.com = example.com\n' > /etc/krb5.conf.d/example_com
sed -i "s/^# default_realm/ default_realm/" /etc/krb5.conf
echo -ne "passwd\npasswd\n" | kdb5_util create -s
systemctl start krb5kdc kadmin
 
2.kadmin.local -r EXAMPLE.COM -q "addprinc -pw passwd root/admin"
3.kadmin -p root/admin -w password -q 'ank -pw password alice'

Actual results:
# kinit alice
Password for alice: 

ssh alice.com pwd
alice.com's password: 


Expected results:
# kinit alice
Password for alice: 

# ssh alice.com pwd
/home/alice


Additional info:
#ll -Z /var/tmp/krb5_0.rcache2 
-rw-------. 1 root root system_u:object_r:kadmind_tmp_t:s0 3328 May 20 07:22 /var/tmp/krb5_0.rcache2

AVC message:
time->Wed May 20 06:50:45 2020
type=AVC msg=audit(1589971845.880:557): avc:  denied  { write } for  pid=16961 comm="sshd" name="krb5_0.rcache2" dev="vda1" ino=831 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:kadmind_tmp_t:s0 tclass=file permissive=0

Comment 4 Zdenek Pytela 2020-06-11 08:30:56 UTC
I've submitted two Fedora PRs to address the issue:
https://github.com/fedora-selinux/selinux-policy-contrib/pull/263
https://github.com/fedora-selinux/selinux-policy/pull/373

Comment 5 Zdenek Pytela 2020-06-11 09:59:45 UTC
F32 commits:
commit 9f169ec424c26617b7b113754c4300d3ce5278e2 (HEAD -> f32, upstream/f32, origin/f32)
Author: Zdenek Pytela <zpytela>
Date:   Thu Jun 11 10:22:40 2020 +0200

    Create the kerberos_write_kadmind_tmp_files() interface
    
    Related: rhbz#1838018

commit 74c1a0656a1a7468befd1a10f24204106c316900 (HEAD -> f32, upstream/f32, origin/f32)
Author: Zdenek Pytela <zpytela>
Date:   Thu Jun 11 10:27:38 2020 +0200

    Allow sshd write to kadmind temporary files
    
    Resolves: rhbz#1838018

Comment 6 Fedora Update System 2020-06-24 11:33:09 UTC
FEDORA-2020-5c374f680a has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-5c374f680a

Comment 7 Fedora Update System 2020-06-25 01:03:39 UTC
FEDORA-2020-5c374f680a has been pushed to the Fedora 32 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-5c374f680a`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-5c374f680a

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 8 Fedora Update System 2020-07-02 01:11:54 UTC
FEDORA-2020-5c374f680a has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.