501107 – AVC when sshd tries to read /root/.k5login

Bug 501107 - AVC when sshd tries to read /root/.k5login

Summary: AVC when sshd tries to read /root/.k5login

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	11
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2009-05-16 12:12 UTC by Enrico Scholz
Modified:	2010-01-08 13:46 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2009-11-18 13:09:38 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Enrico Scholz 2009-05-16 12:12:24 UTC

Description of problem:

When SSH is configured for GSSAPIAuthentication, login fails due to

| type=1400 audit(1242475854.460:1685): avc:  denied  { read } for  pid=2881 comm="sshd" name=".k5login" dev=sda1 ino=93471 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=file
| type=1400 audit(1242475854.462:1686): avc:  denied  { open } for  pid=2881 comm="sshd" name=".k5login" dev=sda1 ino=93471 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=file
| type=1400 audit(1242475854.463:1687): avc:  denied  { getattr } for  pid=2881 comm="sshd" path="/root/.k5login" dev=sda1 ino=93471 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=file

AVCs.  Reading ~/.k5login is required for this kind of operation.


Version-Release number of selected component (if applicable):

selinux-policy-targeted-3.6.12-34.fc11.noarch
openssh-server-5.2p1-2.fc11.x86_64

Comment 1 Daniel Walsh 2009-05-16 12:26:16 UTC

Try this 

chcon -t krb5_conf_t /root/.k5login

I am thinking of adding

HOME_DIR/\.k5login		--	gen_context(system_u:object_r:krb5_conf_t,s0)
/root/\.k5login			--	gen_context(system_u:object_r:krb5_conf_t,s0)

Or adding a new type for kerberos.

Nalin what do you think?

krb5_home_t?

Comment 2 Enrico Scholz 2009-05-16 13:07:28 UTC

I can login after doing the 'chcon'.

Btw, ~/.rhosts should be handled in a similar way.

Comment 3 Nalin Dahyabhai 2009-05-18 16:38:21 UTC

(In reply to comment #1)
> Try this 
> 
> chcon -t krb5_conf_t /root/.k5login
> 
> I am thinking of adding
> 
> HOME_DIR/\.k5login  -- gen_context(system_u:object_r:krb5_conf_t,s0)
> /root/\.k5login   -- gen_context(system_u:object_r:krb5_conf_t,s0)
> 
> Or adding a new type for kerberos.
> 
> Nalin what do you think?

Marking ~/.k5login as readable (not writable, there's no need for that) by sshd sounds right to me.  I like krb5_conf_t because it's already established that everybody can read that, but another label with that effect is fine, too.

If we want to lock it down tighter later, we'll have to enumerate the confined daemons like ftpd and telnetd that also need to read the file, and we'll have to figure out what to do with ksu.

Comment 4 Daniel Walsh 2009-05-18 17:02:26 UTC

I am adding krb5_home_t and rlogind_home_t to label these files.

Then I am allowing sshd, rlogind_t, rcpd_t rshd_t to read them

Fixed in selinux-policy-3.6.12-38.fc11

Comment 5 Bug Zapper 2009-06-09 15:55:31 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle.
Changing version to '11'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Note You need to log in before you can comment on or make changes to this bug.