Bug 506106 - sshd cannot read k5login for GSSAPI authentication
Summary: sshd cannot read k5login for GSSAPI authentication
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 11
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-06-15 15:42 UTC by Derek Atkins
Modified: 2009-06-29 14:21 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2009-06-29 14:21:28 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Derek Atkins 2009-06-15 15:42:16 UTC
Description of problem:

I just installed a F11 server and I use Kerberos for authentication.  Unfortunately even with all the proper files configured I cannot get it to work.  (this works fine on F10).  I see the following AVC in my audit log:

type=AVC msg=audit(1245079913.143:211): avc:  denied  { read } for  pid=3105 comm="sshd" name=".k5login" dev=dm-0 ino=92021 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:krb5_home_t:s0 tclass=file

This leads me to believe that there's a bug in the policy?

Version-Release number of selected component (if applicable):

selinux-policy-targeted-3.6.12-39.fc11.noarch
openssh-server-5.2p1-2.fc11.i586


How reproducible:

100%  It happens every time.
However there isn't any particular error message produced in the ssh logs that explain why the GSSAPI authentication failed.

Steps to Reproduce:
1. Setup Kerberos + Keytab
2. Setup k5login
3. ssh using kerberos
  
Actual results:

It falls back and asks for my password.. (Or falls back to PubKey Auth)..
The only available output signalling the failure is the AVC.

Expected results:

GSSAPI Authentication should work.

Additional info:

Comment 1 Daniel Walsh 2009-06-15 19:33:06 UTC
You can add these rules for now using

# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
	
Fixed in selinux-policy-3.6.12-52.fc11.noarch

Comment 2 Derek Atkins 2009-06-27 14:03:30 UTC
Just updated to 3.6.12-53 and this problem is indeed solved.
Thank you.


Note You need to log in before you can comment on or make changes to this bug.