Bug 594833 - klogind can't read root's .k5login
Summary: klogind can't read root's .k5login
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.0
Hardware: All
OS: Linux
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
Depends On:
Blocks: 580448
TreeView+ depends on / blocked
Reported: 2010-05-21 17:51 UTC by Nalin Dahyabhai
Modified: 2018-04-20 10:40 UTC (History)
5 users (show)

Fixed In Version: selinux-policy-3.7.19-54.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2010-11-10 21:34:27 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Nalin Dahyabhai 2010-05-21 17:51:46 UTC
Description of problem:
Kerberos rlogind can't read root's .k5login file.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Get a "host" key and store it in the system tab.
2. echo $principal > /root/.k5login
3. restorecon /root/.k5login
4. yum install krb5-appl-clients krb5-appl-servers
5. chkconfig eklogin on
6. /usr/kerberos/bin/rlogin -x -l root `hostname`
Actual results:
Client sees this message:
klogind: User nalin@REDHAT.COM is not authorized to login to account root.
Log shows:
May 21 13:50:05 rapier kernel: type=1400 audit(1274464205.634:29): avc:  denied  { read } for  pid=20610 comm="klogind" name=".k5login" dev=dm-0 ino=804653 scontext=system_u:system_r:rlogind_t:s0-s0:c0.c1023 tcontext=system_u:object_r:krb5_home_t:s0 tclass=file

Expected results:
Shell prompt.

Additional info:
In case this isn't the only thing missing, I ran sesearch to compare the rshd policy and the rlogind policy:

# sesearch  --allow -s rshd_t -t krb5_home_t
Found 5 semantic av rules:
   allow rshd_t user_home_type : dir { getattr search open } ; 
   allow rshd_t user_home_type : lnk_file { read getattr } ; 
   allow rshd_t krb5_home_t : file { ioctl read getattr lock open } ; 
   allow rshd_t polymember : dir { create getattr setattr relabelto search open } ; 
   allow polydomain polymember : dir { create getattr setattr relabelto search open } ;

# sesearch  --allow -s rlogind_t -t krb5_home_t

Comment 1 RHEL Program Management 2010-05-21 18:16:57 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux major release.  Product Management has requested further
review of this request by Red Hat Engineering, for potential inclusion in a Red
Hat Enterprise Linux Major release.  This request is not yet committed for

Comment 2 Daniel Walsh 2010-05-24 14:56:01 UTC
Fixed in selinux-policy-3.7.19-21.el6.noarch

Comment 9 Daniel Walsh 2010-09-03 20:05:03 UTC
Fixed in selinux-policy-3.7.19-54.el6.noarch

Comment 12 releng-rhel@redhat.com 2010-11-10 21:34:27 UTC
Red Hat Enterprise Linux 6.0 is now available and should resolve
the problem described in this bug report. This report is therefore being closed
with a resolution of CURRENTRELEASE. You may reopen this bug report if the
solution does not work for you.

Note You need to log in before you can comment on or make changes to this bug.