Description of problem: When SSH is configured for GSSAPIAuthentication, login fails due to | type=1400 audit(1242475854.460:1685): avc: denied { read } for pid=2881 comm="sshd" name=".k5login" dev=sda1 ino=93471 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=file | type=1400 audit(1242475854.462:1686): avc: denied { open } for pid=2881 comm="sshd" name=".k5login" dev=sda1 ino=93471 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=file | type=1400 audit(1242475854.463:1687): avc: denied { getattr } for pid=2881 comm="sshd" path="/root/.k5login" dev=sda1 ino=93471 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=file AVCs. Reading ~/.k5login is required for this kind of operation. Version-Release number of selected component (if applicable): selinux-policy-targeted-3.6.12-34.fc11.noarch openssh-server-5.2p1-2.fc11.x86_64
Try this chcon -t krb5_conf_t /root/.k5login I am thinking of adding HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_conf_t,s0) /root/\.k5login -- gen_context(system_u:object_r:krb5_conf_t,s0) Or adding a new type for kerberos. Nalin what do you think? krb5_home_t?
I can login after doing the 'chcon'. Btw, ~/.rhosts should be handled in a similar way.
(In reply to comment #1) > Try this > > chcon -t krb5_conf_t /root/.k5login > > I am thinking of adding > > HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_conf_t,s0) > /root/\.k5login -- gen_context(system_u:object_r:krb5_conf_t,s0) > > Or adding a new type for kerberos. > > Nalin what do you think? Marking ~/.k5login as readable (not writable, there's no need for that) by sshd sounds right to me. I like krb5_conf_t because it's already established that everybody can read that, but another label with that effect is fine, too. If we want to lock it down tighter later, we'll have to enumerate the confined daemons like ftpd and telnetd that also need to read the file, and we'll have to figure out what to do with ksu.
I am adding krb5_home_t and rlogind_home_t to label these files. Then I am allowing sshd, rlogind_t, rcpd_t rshd_t to read them Fixed in selinux-policy-3.6.12-38.fc11
This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle. Changing version to '11'. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping