Description of problem: SELinux policy prevents krb5 logins Version-Release number of selected component (if applicable): selinux-policy-3.6.12-39.fc11 How reproducible: Very Steps to Reproduce: 1. Enable Kerberos logins with preauthentication(preauth may not be necessary) 2. Try to login Actual results: Login incorrect Expected results: Login successful Additional info: Summary: SELinux is preventing login (local_login_t) "getattr" krb5_host_rcache_t. Detailed Description: SELinux denied access requested by login. It is not expected that this access is required by login and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:local_login_t:s0-s0:c0.c1023 Target Context system_u:object_r:krb5_host_rcache_t:s0 Target Objects /var/tmp/host_0 [ file ] Source login Source Path /bin/login Port <Unknown> Host hostname.deleted Source RPM Packages util-linux-ng-2.14.2-8.fc11 Target RPM Packages Policy RPM selinux-policy-3.6.12-39.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name hostname.deleted Platform Linux hostname.deleted 2.6.29.3-155.fc11.x86_64 #1 SMP Wed May 20 17:43:16 EDT 2009 x86_64 x86_64 Alert Count 3 First Seen Thu May 28 09:04:17 2009 Last Seen Thu May 28 09:13:21 2009 Local ID 227ee536-cc3f-4a3a-bb3f-af542259dfd1 Line Numbers Raw Audit Messages node=hostname.deleted type=AVC msg=audit(1243523601.369:442): avc: denied { ge tattr } for pid=8125 comm="login" path="/var/tmp/host_0" dev=dm-0 ino=278520 sc ontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r :krb5_host_rcache_t:s0 tclass=file node=hostname.deleted type=SYSCALL msg=audit(1243523601.369:442): arch=c000003e syscall=4 success=no exit=-13 a0=138f6d0 a1=7fff9e5c6840 a2=7fff9e5c6840 a3=10 i tems=0 ppid=1 pid=8125 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty2 ses=4294967295 comm="login" exe="/bin/login" subj=system _u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
Similar problems with gdm and presumably kdm based logins, and any other window manager that handles logins. Summary: SELinux is preventing gdm-session-wor (xdm_t) "getattr" krb5_host_rcache_t. Detailed Description: SELinux denied access requested by gdm-session-wor. It is not expected that this access is required by gdm-session-wor and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:krb5_host_rcache_t:s0 Target Objects /var/tmp/host_0 [ file ] Source gdm-session-wor Source Path /usr/libexec/gdm-session-worker Port <Unknown> Host hostname.deleted Source RPM Packages gdm-2.26.1-10.fc11 Target RPM Packages Policy RPM selinux-policy-3.6.12-39.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name hostname.deleted Platform Linux hostname.deleted 2.6.29.3-155.fc11.x86_64 #1 SMP Wed May 20 17:43:16 EDT 2009 x86_64 x86_64 Alert Count 6 First Seen Thu May 28 08:17:20 2009 Last Seen Thu May 28 10:48:15 2009 Local ID 7a152a38-018e-44ab-ba28-a99542784c07 Line Numbers Raw Audit Messages node=hostname.deleted type=AVC msg=audit(1243529295.299:479): avc: denied { ge tattr } for pid=8947 comm="gdm-session-wor" path="/var/tmp/host_0" dev=dm-0 ino =278520 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object _r:krb5_host_rcache_t:s0 tclass=file node=hostname.deleted type=SYSCALL msg=audit(1243529295.299:479): arch=c000003e syscall=4 success=no exit=-13 a0=17cafe0 a1=7fff77472cb0 a2=7fff77472cb0 a3=10 i tems=0 ppid=8819 pid=8947 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid =0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gdm-session-wor" exe="/usr/lib exec/gdm-session-worker" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
Nalin do the login files need more access then just gettattr? Fixed in selinux-policy-3.6.12-44.fc11
(In reply to comment #2) > Nalin do the login files need more access then just gettattr? Most likely, yes. Credential verification uses the same code paths that a networked server uses when acting as the server half of a Kerberos-authenticated session, and part of that function is to use the replay cache.
Do they need read or the ability to create the replay cache?
Yes, they need to be able to create and read/write the files.
Tested selinux-policy-3.6.12-44.fc11 Login/gdm/kdm now work for kerberos authentication. Marked bug as closed/rawhide