Description of problem: When I attempt to log in using forwarded Kerberos credentials, pam_krb5 (or a different module) gets called to use those credentials to set tokens. The module needs to perform an ioctl on /proc/fs/openafs/afs_ioctl (context="system_u:object_r:proc_t:s0") to do this, but that appears to be denied by policy. Versions: openafs-1.4.4 selinux-policy-targeted-3.0.5-7.fc8 pam_krb5-2.2.18-1 openssh-server-4.5p1-8.fc8 kernel-2.6.21-1.3230.fc8 The specific denial which causes this (verified with audit2allow -M) is: type=AVC msg=audit(1187381427.559:17006): avc: denied { write } for pid=21245 comm="sshd" name="afs_ioctl" dev=proc ino=4026532117 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file Here's the generated .te file which apparently made it work again: module openafs 1.0; require { type sshd_t; type proc_t; class file write; } #============= sshd_t ============== allow sshd_t proc_t:file write;
Fixed in selinux-policy-3.0.5-9.fc8
ALready fixed in rawhide