Bug 576093 - ssh changes security context of /var/tmp/host_0
ssh changes security context of /var/tmp/host_0
Product: Fedora
Classification: Fedora
Component: krb5 (Show other bugs)
All Linux
low Severity high
: ---
: ---
Assigned To: Nalin Dahyabhai
Fedora Extras Quality Assurance
: SELinux
Depends On:
  Show dependency treegraph
Reported: 2010-03-23 04:49 EDT by Eugene Indenbom
Modified: 2011-10-21 15:09 EDT (History)
8 users (show)

See Also:
Fixed In Version: krb5-1.8.4-2.fc14
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2011-07-06 17:34:25 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Patch to krb5-1.7 (7.92 KB, patch)
2010-03-24 07:36 EDT, Eugene Indenbom
no flags Details | Diff
Replay cache to reproduce bug (5.85 KB, application/octet-stream)
2010-04-15 08:14 EDT, Eugene Indenbom
no flags Details

  None (edit)
Description Eugene Indenbom 2010-03-23 04:49:32 EDT
Description of problem:
After login with sshd using Kerberos authentication the security context of /var/tmp/host_0 may be set sshd_t, causing other login daemons to deny access.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Remove /var/tmp/host_0
2. Restart sshd
3. Login with ssh using Kerberos authentication (without entering password)
4. Replay cache created OK
5. Wait till all tickets in cache are expired (12-24hours)
6. Login with ssh using Kerberos authentication (without entering password)
7. Security context of /var/tmp/host_0 is set to sshd_t
Actual results:
Security context of /var/tmp/host_0 is set to sshd_t

Expected results:
Security context of /var/tmp/host_0 is set to krb5_host_rcache_t

Additional info:
I am forced to enable restorecond...
Comment 1 Eugene Indenbom 2010-03-23 05:49:34 EDT
The problem is caused by function krb5_rc_dfl_expunge_locked (rcache/rc_dfl.c) from krb5-libs.

This function recreated replay cache when there is too many expired entries in it.
It make a temporary file using pattern /var/tmp/krb5_RCXXXXXX and then renames it into /var/tmp/host_0.

Please, note that not only /var/tmp/host_0 is recreated using this pattern, but all other replay caches for other local principals.

SE Linux Policy Version: 3.6.32-99.fc12

I am moving this bug to selinux-policy-targeted, but it might be required to patch kerberos libraries to fix this problem as currently there is no way to distinguish temporary files created for host rcache from others.
Comment 2 Eugene Indenbom 2010-03-24 07:36:27 EDT
Created attachment 402285 [details]
Patch to krb5-1.7
Comment 3 Eugene Indenbom 2010-03-24 07:38:18 EDT
The attachment contains a fix to krb5 rcache subsystem using setfscreatecon to ensure correct replay cache file context.

Please, move this bug to krb5 if there is no solution changing only policy is possible.
Comment 4 Eugene Indenbom 2010-04-15 08:14:11 EDT
Created attachment 406761 [details]
Replay cache to reproduce bug

In order for bug to reproduce replay cache must contain more than 30 expired entries. Such file is attached.

To reproduce:

1. Copy file to /var/tmp/host_0
2. restorecon /var/tmp/host_0
2. Login through ssh using kerberos auth
3. ls --lcontext /var/tmp/host_0
Comment 5 Bug Zapper 2010-11-03 14:50:22 EDT
This message is a reminder that Fedora 12 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 12.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '12'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 12's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 12 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
Comment 6 Alexander Boström 2011-03-14 05:59:55 EDT
I think I've seen this in RHEL6 too. Will try to return with a bug report for that.
Comment 7 Petter Urkedal 2011-05-23 06:24:19 EDT
I can confirm that this issue applies to RHEL 6.1, though I see it in
slightly different forms:  Given a /var/tmp/host_0 file with enough expired

  - after a local login the context is set to local_login_tmp_t,

  - after an SSH login the context is set to user_tmp_t, and

  - on an active mail server running Dovecot, the context is set to
    dovecot_auth_tmp_t, but note that we're using a custom-compiled
    Dovecot and adjusted SELinux policy.
Comment 8 Fedora Update System 2011-06-24 15:29:35 EDT
krb5-1.8.4-2.fc14 has been submitted as an update for Fedora 14.
Comment 9 Fedora Update System 2011-06-25 16:00:48 EDT
Package krb5-1.8.4-2.fc14:
* should fix your issue,
* was pushed to the Fedora 14 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing krb5-1.8.4-2.fc14'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).
Comment 10 Fedora Update System 2011-07-06 17:34:12 EDT
krb5-1.8.4-2.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Steve Traylen 2011-10-21 14:10:47 EDT
I also see this on RHEL6.1.

Is there a bug for it?

Comment 12 Nalin Dahyabhai 2011-10-21 15:09:18 EDT
(In reply to comment #11)
> I also see this on RHEL6.1.
> Is there a bug for it?

That's bug #714217, which should be fixed in the 6.2 beta.

Note You need to log in before you can comment on or make changes to this bug.