This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 485988 - SELinux prevents sshd/pam_krb5 from attaching to shared memory segments
SELinux prevents sshd/pam_krb5 from attaching to shared memory segments
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
10
All Linux
low Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-02-17 14:36 EST by Ben Webb
Modified: 2009-11-18 06:26 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-11-18 06:26:52 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ben Webb 2009-02-17 14:36:29 EST
Description of problem:
We have sshd set up on our systems to authenticate against our Kerberos infrastructure (using pam_krb5). So users logging in to our systems will either already have a Kerberos token (in which case they will get in without being prompted for their passphrase again) or they will be prompted for their passphrase which will then be used to get a Kerberos token on the server.

Since F10, we get errors in the logs every time a user logs in with a passphrase. SELinux appears to be preventing sshd from attaching to a shared memory segment. Logins do, however, appear to complete successfully.

Version-Release number of selected component (if applicable):
openssh-server-5.1p1-3.fc10.x86_64
selinux-policy-targeted-3.5.13-44.fc10.noarch
pam_krb5-2.3.2-1.fc10.x86_64


How reproducible:
Always.


Steps to Reproduce:
1. kinit; ssh myserver
2. kdestroy; ssh myserver
  
Actual results:
Successful login to myserver both times - (1) without a passphrase, (2) with a prompt for a passphrase. But with (2) we see the following in /var/log/messages on myserver:
Feb 17 11:15:56 myserver kernel: type=1400 audit(1234898156.978:51): avc:  denied  { read write } for  pid=24208 comm="sshd" path=2F535953563030303030303030202864656C6574656429 dev=tmpfs ino=14385156 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file
Feb 17 11:15:56 myserver kernel: type=1400 audit(1234898156.979:52): avc:  denied  { read write } for  pid=24208 comm="sshd" path=2F535953563030303030303030202864656C6574656429 dev=tmpfs ino=14417924 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file

and in /var/log/secure we see:
Feb 17 11:15:56 myserver sshd[24208]: pam_krb5[24208]: failed to attach to shmem segment 14385156
Feb 17 11:15:56 myserver sshd[24208]: pam_krb5[24208]: error saving v5 credential state to shared memory segment
Feb 17 11:15:56 myserver sshd[24208]: pam_krb5[24208]: failed to attach to shmem segment 14417924
Feb 17 11:15:56 myserver sshd[24208]: pam_krb5[24208]: error saving v4 credential state to shared memory segment

For (1) we don't see either set of errors.


Expected results:
Logging in with a passphrase (2) should work in exactly the same as with a Kerberos token (1), with no errors reported in the system logs.

Additional info:
On other F10 system that has SELinux disabled, we don't see either the AVCs (obviously) or the pam_krb5 shmem errors with either login method.
Comment 1 Miroslav Grepl 2009-02-18 03:39:49 EST
Fixed in selinux-policy-3.5.13-45.fc10
Comment 2 Bug Zapper 2009-11-18 06:07:57 EST
This message is a reminder that Fedora 10 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 10.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '10'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 10's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 10 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Note You need to log in before you can comment on or make changes to this bug.