Bug 446499 - Problems with SASL-GSSAPI
Summary: Problems with SASL-GSSAPI
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 9
Hardware: x86_64
OS: Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2008-05-14 20:55 UTC by Javier Palacios
Modified: 2008-11-17 22:03 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2008-11-17 22:03:50 UTC

Attachments (Terms of Use)
SELinux policy from permissive mode (963 bytes, application/octet-stream)
2008-05-17 14:27 UTC, Javier Palacios
no flags Details

Description Javier Palacios 2008-05-14 20:55:24 UTC
While using nscd with GSSAPI, the value of krb5_ccname is apparently not honoured.

Running `getent passwd`, it only really connects to ldap server if the user has
a properly initialized credential cache.

It might be also due to selinux interference, as other actions (as `chown
ldapuser file`) give messages as

May 14 22:53:35 cool setroubleshoot: SELinux is preventing the nscd from using
potentially mislabeled files (./.ldapcache). For complete SELinux messages. run
sealert -l c4bde610-ed77-4b34-b779-c75b4eeb7c9a

Comment 1 Javier Palacios 2008-05-15 14:48:25 UTC
It's definitely a selinux issue, because it dissapear if setting enforcing mode
to permissive. And the cause is probably not on nscd nor nss-ldap.

The .ldapcache file is generated with a cron job (file on /etc/cron.d/), and is
created with a non suitable context :
# ls -alZ /tmp/.ldapcache 
-rw-------  nscd nscd system_u:object_r:system_crond_tmp_t:s0 /tmp/.ldapcache

Comment 2 Nalin Dahyabhai 2008-05-16 17:11:19 UTC
I don't see where this file is being created -- is its creation a
locally-configured thing?

Comment 3 Javier Palacios 2008-05-16 17:25:26 UTC
Sorry, the credential cache is initialized with a cron job:

# ls -alZ /etc/cron.d/nss-ldap
-rw-r--r--  root root system_u:object_r:system_cron_spool_t:s0 /etc/cron.d/nss-ldap

# cat /etc/cron.d/nss-ldap 
@reboot nscd /usr/kerberos/bin/kinit -c /tmp/.ldapcache -k -t /etc/nss.keytab
@hourly nscd /usr/kerberos/bin/kinit -c /tmp/.ldapcache -k -t /etc/nss.keytab

Comment 4 Daniel Walsh 2008-05-16 18:24:28 UTC
Please attach the avc messages from /var/log/audit/audit.log

Comment 5 Daniel Walsh 2008-05-16 18:35:54 UTC
If you put the ldapcache in /var/run/nscd would it still work?

Comment 6 Javier Palacios 2008-05-16 20:20:53 UTC
The audit messages are the ones on bug 446482. I'll perform a reinstall and
attach them from a fresh system.

As I understand, you mean use /var/run/nscd/.ldapcache instead of
/tmp/.ldapcache. I'll test and come back.

Comment 7 Daniel Walsh 2008-05-16 20:38:42 UTC
Yes that is the idea.  System jobs like nscd should not rely on data that can be
mucked with by unprivileged users.

Comment 8 Javier Palacios 2008-05-17 14:27:51 UTC
Created attachment 305807 [details]
SELinux policy from permissive mode

Comment 9 Javier Palacios 2008-05-17 14:37:46 UTC
I've not tested the /var/run/nscd yet, partly because that requires root
permissions for the credentials.

I've performed a first install with selinux in permissive mode. After performing
some task up to the login of a nss-ldap user, I've collected a SElinux policy
with audit2allow. On later installations, I load that policy, running `semodule
-i` on %post.

With this procedure I get a silent system working properly if the enforcing mode
is permissive, but if I switch to enforcing, non local users and groups are not
mapped although no selinux message appears on logs, and everything else is
exactly the same (I use two kickstart files which only differ on selinux entry)

Comment 10 Daniel Walsh 2008-05-19 18:49:11 UTC
semodule -DB 

Will turn off dontaudit rules.  Something is blocking an AVC in enforcing mode.

Probably a getattr on system_crond_tmp_t file

Attempt to login, additional avc's will be generated.

semodule -B 

Will turn the extra messages off again

Comment 11 Javier Palacios 2008-05-19 22:11:39 UTC
I will probably have no time to come back in a couple of days, but a fast test
in permissive mode shows one interesting entry that might have sense for you

allow semanage_t nscd_t:nscd shmemhost;

It might not be related, bu I've also noticed that nscd tends to die with this

Comment 12 Daniel Walsh 2008-05-20 00:20:25 UTC
Not likely related,

Comment 13 Javier Palacios 2008-06-05 21:56:30 UTC
I've probably found the solution. I will be able to reinstall in a couple of
days, but looks like the rules below work

allow nscd_t system_crond_tmp_t:file read;
allow nscd_t system_crond_tmp_t:file lock;
allow nscd_t system_chkpwd_t:dir search;

I'm not sure wether I've seen the lock one before, and it was the one that made
everything work.

On the way I did also upgraded a bunch of packages, so I'll come back with
(hopefully) the solution on clean and upgraded system.

Comment 14 Javier Palacios 2008-06-07 10:02:41 UTC
Finally, I got policies that work, both in fresh and upgraded systems. The
policy for nscd, which is actually required when using SASL-GSSAPI
authentication for the LDAP server is

allow nscd_t system_crond_tmp_t:file { read lock };
allow nscd_t krb5_conf_t:file getattr;
allow nscd_t system_chkpwd_t:dir search;

Althought not strictly related to this tickets, I did also enabled the policy
reported on bug 447096, and the policy below, which is closely related to bug
446482 :

allow local_login_t file_context_t:file { read getattr };
allow local_login_t krb5_conf_t:file write;
allow local_login_t self:process setfscreate;

allow sshd_t krb5_conf_t:file write;

allow xdm_t file_context_t:file { read getattr };
allow xdm_t krb5_conf_t:file { write getattr };
allow xdm_t self:process setfscreate;

Comment 15 Javier Palacios 2008-06-07 10:15:59 UTC
I have realized that the updated selinux-policy package version is 3.3.1-55, so
the policy for krb5 mentioned before can be safely removed.

Comment 16 Daniel Walsh 2008-06-10 20:13:14 UTC
So can you remove all of your modifications, and the policy works?

Please try with policy 62?

Comment 17 Daniel Walsh 2008-11-17 22:03:50 UTC
Closing all bugs that have been in modified for over a month.  Please reopen if the bug is not actually fixed.

Note You need to log in before you can comment on or make changes to this bug.