Description of problem: After the installation of krb5 I added a new user into a krb5 db via the following command "kadmin -p root/admin -w password -q 'ank -pw password alice". The command finished successfully and the reply cache file was created. The problem is that this file had security context: system_u:object_r:kadmind_tmp_t:s0. This is a problem when the ssh via krb5-GSSAPI is used because sshd service cannot write into this file. Version-Release number of selected component (if applicable): krb5-1.18-1.fc32.x86_64 How reproducible: always Steps to Reproduce: 1. Install and configure krb5kdc and kadmin hostnamectl set-hostname kerberos.example.com sed -i "1i 127.0.0.1 kerberos.example.com" /etc/hosts echo -ne '[realms]\nEXAMPLE.COM = {\n kdc = kerberos.example.com\n admin_server = kerberos.example.com\n}\n\n[domain_realm]\n.example.com = EXAMPLE.COM\nexample.com = example.com\n' > /etc/krb5.conf.d/example_com sed -i "s/^# default_realm/ default_realm/" /etc/krb5.conf echo -ne "passwd\npasswd\n" | kdb5_util create -s systemctl start krb5kdc kadmin 2.kadmin.local -r EXAMPLE.COM -q "addprinc -pw passwd root/admin" 3.kadmin -p root/admin -w password -q 'ank -pw password alice' Actual results: # kinit alice Password for alice: ssh alice.com pwd alice.com's password: Expected results: # kinit alice Password for alice: # ssh alice.com pwd /home/alice Additional info: #ll -Z /var/tmp/krb5_0.rcache2 -rw-------. 1 root root system_u:object_r:kadmind_tmp_t:s0 3328 May 20 07:22 /var/tmp/krb5_0.rcache2 AVC message: time->Wed May 20 06:50:45 2020 type=AVC msg=audit(1589971845.880:557): avc: denied { write } for pid=16961 comm="sshd" name="krb5_0.rcache2" dev="vda1" ino=831 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:kadmind_tmp_t:s0 tclass=file permissive=0
I've submitted two Fedora PRs to address the issue: https://github.com/fedora-selinux/selinux-policy-contrib/pull/263 https://github.com/fedora-selinux/selinux-policy/pull/373
F32 commits: commit 9f169ec424c26617b7b113754c4300d3ce5278e2 (HEAD -> f32, upstream/f32, origin/f32) Author: Zdenek Pytela <zpytela> Date: Thu Jun 11 10:22:40 2020 +0200 Create the kerberos_write_kadmind_tmp_files() interface Related: rhbz#1838018 commit 74c1a0656a1a7468befd1a10f24204106c316900 (HEAD -> f32, upstream/f32, origin/f32) Author: Zdenek Pytela <zpytela> Date: Thu Jun 11 10:27:38 2020 +0200 Allow sshd write to kadmind temporary files Resolves: rhbz#1838018
FEDORA-2020-5c374f680a has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-5c374f680a
FEDORA-2020-5c374f680a has been pushed to the Fedora 32 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-5c374f680a` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-5c374f680a See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2020-5c374f680a has been pushed to the Fedora 32 stable repository. If problem still persists, please make note of it in this bug report.