Bug 253321 - unable to log in to AFS home directory via sshd
Summary: unable to log in to AFS home directory via sshd
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-08-17 20:23 UTC by Nalin Dahyabhai
Modified: 2007-11-30 22:12 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-09-12 17:00:36 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Nalin Dahyabhai 2007-08-17 20:23:25 UTC 
Description of problem:
When I attempt to log in using forwarded Kerberos credentials, pam_krb5 (or a
different module) gets called to use those credentials to set tokens.  The
module needs to perform an ioctl on /proc/fs/openafs/afs_ioctl
(context="system_u:object_r:proc_t:s0") to do this, but that appears to be
denied by policy.

Versions:
openafs-1.4.4
selinux-policy-targeted-3.0.5-7.fc8
pam_krb5-2.2.18-1
openssh-server-4.5p1-8.fc8
kernel-2.6.21-1.3230.fc8

The specific denial which causes this (verified with audit2allow -M) is:
type=AVC msg=audit(1187381427.559:17006): avc:  denied  { write } for  pid=21245
comm="sshd" name="afs_ioctl" dev=proc ino=4026532117
scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:proc_t:s0 tclass=file

Here's the generated .te file which apparently made it work again:
module openafs 1.0;

require {
        type sshd_t;
        type proc_t;
        class file write;
}

#============= sshd_t ==============
allow sshd_t proc_t:file write;
Comment 1 Daniel Walsh 2007-08-20 19:15:23 UTC 
Fixed in selinux-policy-3.0.5-9.fc8
Comment 2 Daniel Walsh 2007-09-12 17:00:36 UTC 
ALready fixed in rawhide
Note You need to log in before you can comment on or make changes to this bug.