Bug 598646 - Targeted policy - Kerberos ticket cache access by winbind, gss is broken.
Targeted policy - Kerberos ticket cache access by winbind, gss is broken.
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy-targeted (Show other bugs)
5.5
All Linux
low Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-06-01 15:07 EDT by Aleksey Nogin
Modified: 2012-10-15 11:16 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
When a system was configured to use winbind for authentication using the "winbind refresh tickets = true" configuration option, several issues may have occurred, preventing this configuration from working properly. This update fixes the SELinux rules for winbind, so that the above configuration works as expected.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-01-13 16:49:47 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
sealert outputs for the 4 denials, with comments (prefixed with "#") (10.44 KB, text/plain)
2010-06-01 15:07 EDT, Aleksey Nogin
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:0026 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2011-01-12 11:11:15 EST

  None (edit)
Description Aleksey Nogin 2010-06-01 15:07:02 EDT
Created attachment 418777 [details]
sealert outputs for the 4 denials, with comments (prefixed with "#")

I am running a system that is setup to use winbind for authentication with "winbind refresh tickets = true".

I am seeing the following set of problems (see the attachment for the sealert output):

1) If a ticket is created by kinit, it is labeled tmp_t and winbindd can not access it - the audit2allow output is "allow winbind_t tmp_t:file { read write };". IMHO the access should be allowed, at least when allow_kerberos boolean is on.

2) If a ticket is created by winbind, it is labeled winbind_tmp_t, and then rpc.gssd can not read it - the audit2allow output is "allow gssd_t winbind_tmp_t:file read;".
Note - the allow_gssd_read_tmp boolean is on, but as far as I can tell, it only allows access to tmp_t and *not* to winbind_tmp_t.
IMHO when allow_gssd_read_tmp boolean is on, the access should be allowed.

P.S. Both problems go away if winbind_disable_trans turned on, then new issues appear due to /var/run/winbindd/pipe now being labeled initrc_t:
3) nscd being prohibited from connecting to /var/run/winbindd/pipe. 
4) genhomedircon being prohibited from connecting to /var/run/winbindd/pipe.
IMHO this is a wrong approach - although may be it could be made work with some changes.

As stated above, I believe that the right solution is to allow (at least under appropriate boolean var settings) the first two accesses. 

An alternative perhaps is to have the kerberos cache files have their own label - this may be a good idea for long-term (and would probably best when combined with moving the Kerberos cache out of /tmp - perhaps they should be in /var/run/krb or something like that), but this is probably too disruptive to introduce into RHEL 5.
Comment 1 Daniel Walsh 2010-06-02 10:47:52 EDT
I am thinking winbind should be creating user_tmp_t files for kerberos credential cache.

I have made this change to Rawhide and if it looks stable we should change RHEL5 and RHEL6
Comment 7 Miroslav Grepl 2010-09-24 06:33:17 EDT
Fixed in selinux-policy-2.4.6-285.el5.noarch
Comment 10 Jaromir Hradilek 2011-01-05 11:16:28 EST
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
When a system was configured to use winbind for authentication using the "winbind refresh tickets = true" configuration option, several issues may have occurred, preventing this configuration from working properly. This update fixes the SELinux rules for winbind, so that the above configuration works as expected.
Comment 12 errata-xmlrpc 2011-01-13 16:49:47 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0026.html

Note You need to log in before you can comment on or make changes to this bug.