Bug 624784 - SSSD: Krb authentications fail when credential cache directory created on per user basis
Summary: SSSD: Krb authentications fail when credential cache directory created on per...
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
(Show other bugs)
Version: 6.0
Hardware: All Linux
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
Keywords: RHELNAK
Depends On:
Blocks: 579775
TreeView+ depends on / blocked
Reported: 2010-08-17 19:02 UTC by Jenny Galipeau
Modified: 2012-10-16 11:03 UTC (History)
7 users (show)

Fixed In Version: selinux-policy-3.7.19-40.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2010-11-10 21:36:28 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Jenny Galipeau 2010-08-17 19:02:08 UTC
Description of problem:
Configuration for kerberos authentications include the ability to set the kerberos cache directory on a per user basis .. 
krb5_ccachedir = /tmp/krb5_cache_%u  (%u = userid)

Each user that logs in gets their own directory created which is working fine, however upon authentication the cache file fails to be created and authentications fail with this configuration.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Example /etc/sssd/sssd.conf

config_file_version = 2
domains = ldap
sbus_timeout = 30
services = nss, pam
debug_level = 9

filter_groups = root
filter_users = root

reconnection_retries = 3

ldap_search_base = dc=example,dc=com
id_provider = ldap
debug_level = 9
mid_id = 1000
ldap_uri = ldaps://sssd-rhds.idm.lab.bos.redhat.com:636
ldaps_tls_cacertdir = /etc/openldap/cacerts
ldap_tls_cacert = /etc/openldap/cacerts/cacert.asc
enumerate = True

auth_provider = krb5
krb5_kdcip = wiki.idm.lab.bos.redhat.com
krb5_realm = EXAMPLE.COM
chpass_provider = krb5
cache_credentials = True
krb5_ccachedir = /tmp/krb5_cache_%u
krb5_ccname_template = FILE:%d/krb5cc_%u

Actual results:
authentications fail and no cache file created

Expected results:
Successful authentication

Cache file created ...

Additional info:

Comment 1 Jenny Galipeau 2010-08-17 19:02:49 UTC
Set SELinux to permissive -  and authentication is successful and cache file created.

Comment 3 RHEL Product and Program Management 2010-08-17 19:18:10 UTC
This issue has been proposed when we are only considering blocker
issues in the current Red Hat Enterprise Linux release.

** If you would still like this issue considered for the current
release, ask your support representative to file as a blocker on
your behalf. Otherwise ask that it be considered for the next
Red Hat Enterprise Linux release. **

Comment 4 Stephen Gallagher 2010-08-17 19:20:12 UTC

SELinux is preventing /usr/libexec/sssd/sssd_be "chown" access .

Detailed Description:

[SELinux is in permissive mode. This access was not denied.]

SELinux denied access requested by sssd_be. It is not expected that this access
is required by sssd_be and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug

Additional Information:

Source Context                unconfined_u:system_r:sssd_t:s0
Target Context                unconfined_u:system_r:sssd_t:s0
Target Objects                None [ capability ]
Source                        sssd_be
Source Path                   /usr/libexec/sssd/sssd_be
Port                          <Unknown>
Host                          sgallagh.bos.redhat.com
Source RPM Packages           sssd-1.3.90-0.fc13
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-47.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Plugin Name                   catchall
Host Name                     sgallagh.bos.redhat.com
Platform                      Linux sgallagh.bos.redhat.com
                     #1 SMP Fri Jul 23
                              17:14:44 UTC 2010 x86_64 x86_64
Alert Count                   1
First Seen                    Tue 17 Aug 2010 02:08:04 PM EDT
Last Seen                     Tue 17 Aug 2010 02:08:04 PM EDT
Local ID                      e9a5e9ea-8c77-4be3-9306-3af6f1c1a95b
Line Numbers                  

Raw Audit Messages            

node=sgallagh.bos.redhat.com type=AVC msg=audit(1282068484.991:29227): avc:  denied  { chown } for  pid=2285 comm="sssd_be" capability=0  scontext=unconfined_u:system_r:sssd_t:s0 tcontext=unconfined_u:system_r:sssd_t:s0 tclass=capability

node=sgallagh.bos.redhat.com type=SYSCALL msg=audit(1282068484.991:29227): arch=c000003e syscall=92 success=yes exit=0 a0=19af1b0 a1=32f1 a2=32f1 a3=69 items=0 ppid=2283 pid=2285 auid=13041 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="sssd_be" exe="/usr/libexec/sssd/sssd_be" subj=unconfined_u:system_r:sssd_t:s0 key=(null)

Comment 5 Daniel Walsh 2010-08-18 11:06:32 UTC
Miroslav add 

allow sssd_t self:capability { chown dac_read_search dac_override kill sys_nice setgid setuid };

Steven do you think you need any other capabilities?

Comment 6 Miroslav Grepl 2010-08-18 11:09:18 UTC
I am adding it.

Comment 7 Stephen Gallagher 2010-08-18 11:58:24 UTC
Confirmed, chown is the only missing capability for this functionality.

Comment 9 Miroslav Grepl 2010-08-18 15:33:05 UTC
Fixed in selinux-policy-3.7.19-40.el6.noarch

Comment 12 releng-rhel@redhat.com 2010-11-10 21:36:28 UTC
Red Hat Enterprise Linux 6.0 is now available and should resolve
the problem described in this bug report. This report is therefore being closed
with a resolution of CURRENTRELEASE. You may reopen this bug report if the
solution does not work for you.

Note You need to log in before you can comment on or make changes to this bug.