Bug 479773 - NIS authentication fails with SELinux set to enforcing
NIS authentication fails with SELinux set to enforcing
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
10
x86_64 Linux
low Severity high
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
Depends On:
Blocks: 517000
  Show dependency treegraph
 
Reported: 2009-01-12 19:10 EST by Andrew John Hughes
Modified: 2009-08-19 11:27 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-08-19 11:27:10 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Andrew John Hughes 2009-01-12 19:10:11 EST
Description of problem:

selinux is preventing authentication via NIS.  Using su to become the user works fine, but login, either via the console, gdm or ssh fails.

$ ssh sam@gondor
Connection closed by 192.168.0.10

from audit.log:

type=USER_ACCT msg=audit(1231805174.212:45): user pid=3196 uid=0 auid=0 ses=2 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="sam" exe="/usr/sbin/sshd" (hostname=rivendell.middle-earth.co.uk, addr=192.168.0.1, terminal=ssh res=failed)'
type=USER_LOGIN msg=audit(1231805174.212:46): user pid=3196 uid=0 auid=0 ses=2 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='acct="sam": exe="/usr/sbin/sshd" (hostname=?, addr=192.168.0.1, terminal=sshd res=failed)'

# getsebool use_nfs_home_dirs
use_nfs_home_dirs --> on

# getsebool allow_ypbind
allow_ypbind --> on

# authconfig --test
caching is disabled
nss_files is always enabled
nss_compat is disabled
nss_db is disabled
nss_hesiod is disabled
 hesiod LHS = ""
 hesiod RHS = ""
nss_ldap is disabled
 LDAP+TLS is disabled
 LDAP server = "ldap://127.0.0.1/"
 LDAP base DN = "dc=example,dc=com"
nss_nis is enabled
 NIS server = "192.168.0.1"
 NIS domain = "middle-earth.co.uk"
nss_nisplus is disabled
nss_winbind is disabled
 SMB workgroup = "MYGROUP"
 SMB servers = ""
 SMB security = "user"
 SMB realm = ""
 Winbind template shell = "/bin/false"
 SMB idmap uid = "16777216-33554431"
 SMB idmap gid = "16777216-33554431"
nss_wins is disabled
DNS preference over NSS or WINS is disabled
pam_unix is always enabled
 shadow passwords are enabled
 password hashing algorithm is sha512
pam_krb5 is disabled
 krb5 realm = "EXAMPLE.COM"
 krb5 realm via dns is disabled
 krb5 kdc = "kerberos.example.com:88"
 krb5 kdc via dns is disabled
 krb5 admin server = "kerberos.example.com:749"
pam_ldap is disabled
 LDAP+TLS is disabled
 LDAP server = "ldap://127.0.0.1/"
 LDAP base DN = "dc=example,dc=com"
pam_pkcs11 is disabled
 use only smartcard for login is disabled
 smartcard module = "coolkey"
 smartcard removal action = "Ignore"
pam_smb_auth is disabled
 SMB workgroup = "MYGROUP"
 SMB servers = ""
pam_winbind is disabled
 SMB workgroup = "MYGROUP"
 SMB servers = ""
 SMB security = "user"
 SMB realm = ""
pam_cracklib is enabled (try_first_pass retry=3)
pam_passwdqc is disabled ()
pam_access is disabled ()
pam_mkhomedir is disabled ()
Always authorize local users is disabled ()
Authenticate system accounts against network services is disabled

Version-Release number of selected component (if applicable):

F10 (both with original install and now with latest updates)

How reproducible:

Attempt to login using account information stored on a remote NIS server.

Steps to Reproduce:
1. Enter NIS username + password
2.
3.
  
Actual results:
Login fails with correct username+password.

Expected results:
Login allowed.

Additional info:
This is clearly due to selinux as 'setenforce 0' or changing to permissive mode in /etc/selinux/config allows the login.
Comment 1 Daniel Walsh 2009-01-13 10:07:21 EST
No AVC's reported.  Strange,  could you execute.

# semanage permissive -a sshd_t
# semodule -DB

And then try to ssh into the machine,  Then look for sshd avc messages.

Execute 
# semanage permissive -d sshd_t

When you are done.
Comment 2 Andrew John Hughes 2009-01-14 13:36:29 EST
type=AVC msg=audit(1231958066.818:158): avc:  denied  { getattr } for  pid=4606 comm="unix_chkpwd" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:system_chkpwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=filesystem
type=AVC msg=audit(1231958066.818:159): avc:  denied  { search } for  pid=4606 comm="unix_chkpwd" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:system_chkpwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=dir
type=AVC msg=audit(1231958066.818:160): avc:  denied  { search } for  pid=4606 comm="unix_chkpwd" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:system_chkpwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=dir
type=AVC msg=audit(1231958066.819:161): avc:  denied  { name_bind } for  pid=4606 comm="unix_chkpwd" src=966 scontext=system_u:system_r:system_chkpwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket
type=AVC msg=audit(1231958066.819:162): avc:  denied  { name_bind } for  pid=4606 comm="unix_chkpwd" src=967 scontext=system_u:system_r:system_chkpwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket
Comment 3 Daniel Walsh 2009-01-14 14:59:10 EST
If you create mynis.te to look like the following:


cat mynis.te
policy_module(mynis, 1.0)
gen_require(`
type system_chkpwd_t;
')
nis_authenticate(system_chkpwd_t)


Then execute
# make -f /usr/share/selinux/devel/Makefile
# semodule -i mynis.pp

Does nis work in enforcing mode?
Comment 4 Andrew John Hughes 2009-01-20 04:32:03 EST
Yes.
Comment 5 Daniel Walsh 2009-01-20 10:53:40 EST
Miroslav can you add this to F9 and F10 policy.
Comment 6 Miroslav Grepl 2009-01-21 07:35:04 EST
Fixed in selinux-policy-3.5.13-40.fc10.noarch
Comment 7 Miroslav Grepl 2009-08-19 11:27:10 EDT
Closing all bugs that have been in modified for over a month.  Please reopen if
the bug is not actually fixed.

Note You need to log in before you can comment on or make changes to this bug.