Bug 503061 - SELinux is preventing login (local_login_t) "getattr" krb5_host_rcache_t
SELinux is preventing login (local_login_t) "getattr" krb5_host_rcache_t
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
rawhide
x86_64 Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-05-28 11:44 EDT by Tim Scofield
Modified: 2009-06-01 16:25 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 505408 (view as bug list)
Environment:
Last Closed: 2009-06-01 16:25:18 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tim Scofield 2009-05-28 11:44:38 EDT
Description of problem: SELinux policy prevents krb5 logins


Version-Release number of selected component (if applicable):
selinux-policy-3.6.12-39.fc11

How reproducible: Very


Steps to Reproduce:
1. Enable Kerberos logins with preauthentication(preauth may not be necessary)
2. Try to login

  
Actual results:
Login incorrect

Expected results:
Login successful

Additional info:
Summary:

SELinux is preventing login (local_login_t) "getattr" krb5_host_rcache_t.

Detailed Description:

SELinux denied access requested by login. It is not expected that this access is
required by login and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:local_login_t:s0-s0:c0.c1023
Target Context                system_u:object_r:krb5_host_rcache_t:s0
Target Objects                /var/tmp/host_0 [ file ]
Source                        login
Source Path                   /bin/login
Port                          <Unknown>
Host                          hostname.deleted
Source RPM Packages           util-linux-ng-2.14.2-8.fc11
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.12-39.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     hostname.deleted
Platform                      Linux hostname.deleted
                              2.6.29.3-155.fc11.x86_64 #1 SMP Wed May 20
                              17:43:16 EDT 2009 x86_64 x86_64
Alert Count                   3
First Seen                    Thu May 28 09:04:17 2009
Last Seen                     Thu May 28 09:13:21 2009
Local ID                      227ee536-cc3f-4a3a-bb3f-af542259dfd1
Line Numbers                  

Raw Audit Messages            

node=hostname.deleted type=AVC msg=audit(1243523601.369:442): avc:  denied  { ge
tattr } for  pid=8125 comm="login" path="/var/tmp/host_0" dev=dm-0 ino=278520 sc
ontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r
:krb5_host_rcache_t:s0 tclass=file

node=hostname.deleted type=SYSCALL msg=audit(1243523601.369:442): arch=c000003e 
syscall=4 success=no exit=-13 a0=138f6d0 a1=7fff9e5c6840 a2=7fff9e5c6840 a3=10 i
tems=0 ppid=1 pid=8125 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 
sgid=0 fsgid=0 tty=tty2 ses=4294967295 comm="login" exe="/bin/login" subj=system
_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
Comment 1 Tim Scofield 2009-05-28 13:53:17 EDT
Similar problems with gdm and presumably kdm based logins, and any other window manager that handles logins.

Summary:

SELinux is preventing gdm-session-wor (xdm_t) "getattr" krb5_host_rcache_t.

Detailed Description:

SELinux denied access requested by gdm-session-wor. It is not expected that this
access is required by gdm-session-wor and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:krb5_host_rcache_t:s0
Target Objects                /var/tmp/host_0 [ file ]
Source                        gdm-session-wor
Source Path                   /usr/libexec/gdm-session-worker
Port                          <Unknown>
Host                          hostname.deleted
Source RPM Packages           gdm-2.26.1-10.fc11
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.12-39.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     hostname.deleted
Platform                      Linux hostname.deleted
                              2.6.29.3-155.fc11.x86_64 #1 SMP Wed May 20
                              17:43:16 EDT 2009 x86_64 x86_64
Alert Count                   6
First Seen                    Thu May 28 08:17:20 2009
Last Seen                     Thu May 28 10:48:15 2009
Local ID                      7a152a38-018e-44ab-ba28-a99542784c07
Line Numbers                  

Raw Audit Messages            

node=hostname.deleted type=AVC msg=audit(1243529295.299:479): avc:  denied  { ge
tattr } for  pid=8947 comm="gdm-session-wor" path="/var/tmp/host_0" dev=dm-0 ino
=278520 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object
_r:krb5_host_rcache_t:s0 tclass=file

node=hostname.deleted type=SYSCALL msg=audit(1243529295.299:479): arch=c000003e 
syscall=4 success=no exit=-13 a0=17cafe0 a1=7fff77472cb0 a2=7fff77472cb0 a3=10 i
tems=0 ppid=8819 pid=8947 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid
=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gdm-session-wor" exe="/usr/lib
exec/gdm-session-worker" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
Comment 2 Daniel Walsh 2009-06-01 08:15:51 EDT
Nalin do the login files need more access then just gettattr?

Fixed in selinux-policy-3.6.12-44.fc11
Comment 3 Nalin Dahyabhai 2009-06-01 11:36:03 EDT
(In reply to comment #2)
> Nalin do the login files need more access then just gettattr?

Most likely, yes.  Credential verification uses the same code paths that a networked server uses when acting as the server half of a Kerberos-authenticated session, and part of that function is to use the replay cache.
Comment 4 Daniel Walsh 2009-06-01 12:58:53 EDT
Do they need read or the ability to create the replay cache?
Comment 5 Nalin Dahyabhai 2009-06-01 13:07:19 EDT
Yes, they need to be able to create and read/write the files.
Comment 6 Tim Scofield 2009-06-01 16:25:18 EDT
Tested selinux-policy-3.6.12-44.fc11

Login/gdm/kdm now work for kerberos authentication.

Marked bug as closed/rawhide

Note You need to log in before you can comment on or make changes to this bug.