First Last Prev Next    This bug is not in your last search results.
Bug 506106 - sshd cannot read k5login for GSSAPI authentication
sshd cannot read k5login for GSSAPI authentication
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
11
All Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-06-15 11:42 EDT by Derek Atkins
Modified: 2009-06-29 10:21 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-06-29 10:21:28 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Derek Atkins 2009-06-15 11:42:16 EDT 
Description of problem:

I just installed a F11 server and I use Kerberos for authentication.  Unfortunately even with all the proper files configured I cannot get it to work.  (this works fine on F10).  I see the following AVC in my audit log:

type=AVC msg=audit(1245079913.143:211): avc:  denied  { read } for  pid=3105 comm="sshd" name=".k5login" dev=dm-0 ino=92021 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:krb5_home_t:s0 tclass=file

This leads me to believe that there's a bug in the policy?

Version-Release number of selected component (if applicable):

selinux-policy-targeted-3.6.12-39.fc11.noarch
openssh-server-5.2p1-2.fc11.i586


How reproducible:

100%  It happens every time.
However there isn't any particular error message produced in the ssh logs that explain why the GSSAPI authentication failed.

Steps to Reproduce:
1. Setup Kerberos + Keytab
2. Setup k5login
3. ssh using kerberos
  
Actual results:

It falls back and asks for my password.. (Or falls back to PubKey Auth)..
The only available output signalling the failure is the AVC.

Expected results:

GSSAPI Authentication should work.

Additional info:
Comment 1 Daniel Walsh 2009-06-15 15:33:06 EDT 
You can add these rules for now using

# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
	
Fixed in selinux-policy-3.6.12-52.fc11.noarch
Comment 2 Derek Atkins 2009-06-27 10:03:30 EDT 
Just updated to 3.6.12-53 and this problem is indeed solved.
Thank you.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.