When using saslauthd and sshd (and allowing GSSAPI/Kerberos access), the context of the /var/tmp/host_0 file keeps changing and evokes AVCs where one or the other is prevented from using the file (access is allowed in permissive mode). A related problem with sshd alone was fixed a while back, so it appears that saslauthd is relabelling the file to a non-shared context. It seems as though saslauthd needs to keep the file as krb5_host_rcache_t so sshd and possibly other daemons can access it without error. Source Context system_u:system_r:sshd_t:s0-s0:c0.c1023 Target Context system_u:object_r:saslauthd_tmp_t:s0 Target Objects /var/tmp/host_0 [ file ] Source sshd Source Path /usr/sbin/sshd Port <Unknown> Host chicago.messinet.com Source RPM Packages openssh-server-5.5p1-22.fc14.2 Target RPM Packages Policy RPM selinux-policy-3.9.7-7.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name restorecon Host Name chicago.messinet.com Platform Linux chicago.messinet.com 2.6.35.6-48.fc14.x86_64 #1 SMP Fri Oct 22 15:36:08 UTC 2010 x86_64 x86_64 Alert Count 13 First Seen Sun Nov 7 00:47:32 2010 Last Seen Sun Nov 7 22:44:56 2010 Local ID e67d34af-365b-4e3c-8d5f-685107fb8bf3 Line Numbers Raw Audit Messages node=chicago.messinet.com type=AVC msg=audit(1289191496.615:5688): avc: denied { getattr } for pid=9364 comm="sshd" path="/var/tmp/host_0" dev=sdd3 ino=3530845 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:saslauthd_tmp_t:s0 tclass=file node=chicago.messinet.com type=SYSCALL msg=audit(1289191496.615:5688): arch=c000003e syscall=6 success=yes exit=0 a0=7f7bc3cda790 a1=7fffb12aadf0 a2=7fffb12aadf0 a3=7fffb12aaac0 items=0 ppid=1693 pid=9364 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
If it has the proper label on it, saslauthd and sshd should be able to use it. restorecon -R -v /var/tmp/host_0 # sesearch -A -s saslauthd_t -t krb5_host_rcache_t -C Found 2 semantic av rules: allow saslauthd_t file_type : filesystem getattr ; ET allow saslauthd_t krb5_host_rcache_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; [ allow_kerberos ] -bash-4.1# sesearch -A -s sshd_t -t krb5_host_rcache_t -C Found 2 semantic av rules: ET allow sshd_t krb5_host_rcache_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; [ allow_kerberos ] ET allow polydomain polymember : dir { create getattr setattr relabelto search open } ; [ allow_polyinstantiation ]
Fully agreed, but for some reason, when saslauthd "creates" the host_0 file, it gives it the saslauthd_tmp_t context. With no changes and after restoreconning the file, here is what I have now: Source Context system_u:system_r:sshd_t:s0-s0:c0.c1023 Target Context system_u:object_r:saslauthd_tmp_t:s0 Target Objects /var/tmp/host_0 [ file ] Source sshd Source Path /usr/sbin/sshd Port <Unknown> Host chicago.messinet.com Source RPM Packages openssh-server-5.5p1-22.fc14.2 Target RPM Packages Policy RPM selinux-policy-3.9.7-7.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name restorecon Host Name chicago.messinet.com Platform Linux chicago.messinet.com 2.6.35.6-48.fc14.x86_64 #1 SMP Fri Oct 22 15:36:08 UTC 2010 x86_64 x86_64 Alert Count 27 First Seen Sun Nov 7 00:47:32 2010 Last Seen Mon Nov 8 14:29:35 2010 Local ID e67d34af-365b-4e3c-8d5f-685107fb8bf3 Line Numbers Raw Audit Messages node=chicago.messinet.com type=AVC msg=audit(1289248175.64:9470): avc: denied { getattr } for pid=32588 comm="sshd" path="/var/tmp/host_0" dev=sdd3 ino=3537309 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:saslauthd_tmp_t:s0 tclass=file Which is why I get an error for sshd.
The question is why didn't the kerberos library try to correct the label? Also does saslauthd create any other files in /tmp other then the host_0 file? If not we can default it to creating the correct label.
I can't answer that part, however, after relabeling it again last night, this is what I have in my /var/tmp this morning: -rw-------. root root unconfined_u:object_r:saslauthd_tmp_t:s0 host_0 -rw-------. cyrus mail system_u:object_r:cyrus_tmp_t:s0 imap_76 -rw-------. root root unconfined_u:object_r:gssd_tmp_t:s0 nfs_0 -rw-------. postgres postgres system_u:object_r:postgresql_tmp_t:s0 postgres_26 -rw-------. postfix postfix system_u:object_r:postfix_smtpd_tmp_t:s0 smtp_89 The host_0 is labeled as saslauthd_tmp_t again.
So everytime saslauthd is used it recreates the host_0 file?
Here is my /etc/sysconfig/saslauthd: # Directory in which to place saslauthd's listening socket, pid file, and so # on. This directory must already exist. SOCKETDIR=/var/run/saslauthd # Mechanism to use when checking passwords. Run "saslauthd -v" to get a list # of which mechanism your installation was compiled with the ablity to use. MECH=kerberos5 # Options sent to the saslauthd. If the MECH is other than "pam" uncomment the next line. #DAEMONOPTS="--user saslauth" # Additional flags to pass to saslauthd on the command line. See saslauthd(8) # for the list of accepted flags. FLAGS="-r" By default (according to man saslauthd), 5 threads are spawned on init. It appears that when threads get respawned it when the context of host_0 changes back to saslauthd_tmp_t This is when I get the errors that sshd cannot access the file.
Could you install this policy # cat mysasl.te policy_module(mysasl,1.0) gen_require(` type saslauthd_t; ') kerberos_manage_host_rcache(saslauthd_t) # make -f /usr/share/selinux/devel/Makefile # semodule -i mysasl.pp Then see if the file gets created with the correct label.
Miroslav, In Rawhide policy I have removed saslauthd_tmp_t and saslauthd_t will create krb_host_rcache_t when it creats a file in /tmp.
(In reply to comment #7) > Could you install this policy > > > # cat mysasl.te > policy_module(mysasl,1.0) > gen_require(` > type saslauthd_t; > ') > kerberos_manage_host_rcache(saslauthd_t) > > # make -f /usr/share/selinux/devel/Makefile > # semodule -i mysasl.pp > > Then see if the file gets created with the correct label. Unfortunately, the above didn't work: tmp]# ls -lZ -rw-------. root root unconfined_u:object_r:saslauthd_tmp_t:s0 host_0 -rw-------. cyrus mail system_u:object_r:cyrus_tmp_t:s0 imap_76 -rw-------. root root unconfined_u:object_r:gssd_tmp_t:s0 nfs_0 -rw-------. postgres postgres system_u:object_r:postgresql_tmp_t:s0 postgres_26 -rw-------. postfix postfix unconfined_u:object_r:postfix_smtpd_tmp_t:s0 smtp_89 node=chicago.messinet.com type=AVC msg=audit(1289605282.383:32479): avc: denied { read write } for pid=2685 comm="sshd" name="host_0" dev=sdd3 ino=4243584 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:saslauthd_tmp_t:s0 tclass=file node=chicago.messinet.com type=AVC msg=audit(1289605282.383:32479): avc: denied { open } for pid=2685 comm="sshd" name="host_0" dev=sdd3 ino=4243584 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:saslauthd_tmp_t:s0 tclass=file
Yes it requires the other fix, I asked Miroslav to grab. This is being triggered by a bug in the kerberos libraries btw. But it seems like it is easier to fix selinux policy for now.
Will fix today.
Fixed in selinux-policy-3.9.7-13.fc14
selinux-policy-3.9.7-12.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-12.fc14
selinux-policy-3.9.7-12.fc14 has been pushed to the Fedora 14 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-12.fc14
selinux-policy-3.9.7-12.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.