Bug 506106 - sshd cannot read k5login for GSSAPI authentication
sshd cannot read k5login for GSSAPI authentication
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
11
All Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-06-15 11:42 EDT by Derek Atkins
Modified: 2009-06-29 10:21 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-06-29 10:21:28 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Derek Atkins 2009-06-15 11:42:16 EDT
Description of problem:

I just installed a F11 server and I use Kerberos for authentication.  Unfortunately even with all the proper files configured I cannot get it to work.  (this works fine on F10).  I see the following AVC in my audit log:

type=AVC msg=audit(1245079913.143:211): avc:  denied  { read } for  pid=3105 comm="sshd" name=".k5login" dev=dm-0 ino=92021 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:krb5_home_t:s0 tclass=file

This leads me to believe that there's a bug in the policy?

Version-Release number of selected component (if applicable):

selinux-policy-targeted-3.6.12-39.fc11.noarch
openssh-server-5.2p1-2.fc11.i586


How reproducible:

100%  It happens every time.
However there isn't any particular error message produced in the ssh logs that explain why the GSSAPI authentication failed.

Steps to Reproduce:
1. Setup Kerberos + Keytab
2. Setup k5login
3. ssh using kerberos
  
Actual results:

It falls back and asks for my password.. (Or falls back to PubKey Auth)..
The only available output signalling the failure is the AVC.

Expected results:

GSSAPI Authentication should work.

Additional info:
Comment 1 Daniel Walsh 2009-06-15 15:33:06 EDT
You can add these rules for now using

# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
	
Fixed in selinux-policy-3.6.12-52.fc11.noarch
Comment 2 Derek Atkins 2009-06-27 10:03:30 EDT
Just updated to 3.6.12-53 and this problem is indeed solved.
Thank you.

Note You need to log in before you can comment on or make changes to this bug.