This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 501107 - AVC when sshd tries to read /root/.k5login
AVC when sshd tries to read /root/.k5login
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
11
All Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-05-16 08:12 EDT by Enrico Scholz
Modified: 2010-01-08 08:46 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-11-18 08:09:38 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Enrico Scholz 2009-05-16 08:12:24 EDT
Description of problem:

When SSH is configured for GSSAPIAuthentication, login fails due to

| type=1400 audit(1242475854.460:1685): avc:  denied  { read } for  pid=2881 comm="sshd" name=".k5login" dev=sda1 ino=93471 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=file
| type=1400 audit(1242475854.462:1686): avc:  denied  { open } for  pid=2881 comm="sshd" name=".k5login" dev=sda1 ino=93471 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=file
| type=1400 audit(1242475854.463:1687): avc:  denied  { getattr } for  pid=2881 comm="sshd" path="/root/.k5login" dev=sda1 ino=93471 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=file

AVCs.  Reading ~/.k5login is required for this kind of operation.


Version-Release number of selected component (if applicable):

selinux-policy-targeted-3.6.12-34.fc11.noarch
openssh-server-5.2p1-2.fc11.x86_64
Comment 1 Daniel Walsh 2009-05-16 08:26:16 EDT
Try this 

chcon -t krb5_conf_t /root/.k5login

I am thinking of adding

HOME_DIR/\.k5login		--	gen_context(system_u:object_r:krb5_conf_t,s0)
/root/\.k5login			--	gen_context(system_u:object_r:krb5_conf_t,s0)

Or adding a new type for kerberos.

Nalin what do you think?

krb5_home_t?
Comment 2 Enrico Scholz 2009-05-16 09:07:28 EDT
I can login after doing the 'chcon'.

Btw, ~/.rhosts should be handled in a similar way.
Comment 3 Nalin Dahyabhai 2009-05-18 12:38:21 EDT
(In reply to comment #1)
> Try this 
> 
> chcon -t krb5_conf_t /root/.k5login
> 
> I am thinking of adding
> 
> HOME_DIR/\.k5login  -- gen_context(system_u:object_r:krb5_conf_t,s0)
> /root/\.k5login   -- gen_context(system_u:object_r:krb5_conf_t,s0)
> 
> Or adding a new type for kerberos.
> 
> Nalin what do you think?

Marking ~/.k5login as readable (not writable, there's no need for that) by sshd sounds right to me.  I like krb5_conf_t because it's already established that everybody can read that, but another label with that effect is fine, too.

If we want to lock it down tighter later, we'll have to enumerate the confined daemons like ftpd and telnetd that also need to read the file, and we'll have to figure out what to do with ksu.
Comment 4 Daniel Walsh 2009-05-18 13:02:26 EDT
I am adding krb5_home_t and rlogind_home_t to label these files.

Then I am allowing sshd, rlogind_t, rcpd_t rshd_t to read them

Fixed in selinux-policy-3.6.12-38.fc11
Comment 5 Bug Zapper 2009-06-09 11:55:31 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle.
Changing version to '11'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Note You need to log in before you can comment on or make changes to this bug.