Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 696092

Summary: squid: denials for squid_kerb_auth when using kerberos authentication
Product: Red Hat Enterprise Linux 6 Reporter: Miroslav Vadkerti <mvadkert>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Karel Srot <ksrot>
Severity: high Docs Contact:
Priority: high    
Version: 6.1CC: dwalsh, ksrot, mgrepl, mmalik, nalin, plyons, prc, zmraz
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-86.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-05-19 12:27:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Miroslav Vadkerti 2011-04-13 09:04:31 UTC 
Description of problem:
When using squid with kerberos authentication I get these denials:
----
time->Wed Apr 13 04:57:18 2011
type=SYSCALL msg=audit(1302685038.742:66667): arch=c000003e syscall=2 success=yes exit=4 a0=7ff9db38af90 a1=c2 a2=180 a3=7fffda43ae60 items=0 ppid=26728 pid=26730 auid=0 uid=23 gid=23 euid=23 suid=23 fsuid=23 egid=23 sgid=23 fsgid=23 tty=(none) ses=2052 comm="squid_kerb_auth" exe="/usr/lib64/squid/squid_kerb_auth" subj=unconfined_u:system_r:squid_t:s0 key=(null)
type=AVC msg=audit(1302685038.742:66667): avc:  denied  { create } for  pid=26730 comm="squid_kerb_auth" name="krb5_RCRB0OEi" scontext=unconfined_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1302685038.742:66667): avc:  denied  { add_name } for  pid=26730 comm="squid_kerb_auth" name="krb5_RCRB0OEi" scontext=unconfined_u:system_r:squid_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1302685038.742:66667): avc:  denied  { write } for  pid=26730 comm="squid_kerb_auth" name="tmp" dev=dm-0 ino=2752602 scontext=unconfined_u:system_r:squid_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
----
time->Wed Apr 13 04:57:18 2011
type=SYSCALL msg=audit(1302685038.790:66668): arch=c000003e syscall=82 success=yes exit=0 a0=7ff9db38af90 a1=7ff9db386160 a2=7ff9db38b088 a3=7fffda43af90 items=0 ppid=26728 pid=26730 auid=0 uid=23 gid=23 euid=23 suid=23 fsuid=23 egid=23 sgid=23 fsgid=23 tty=(none) ses=2052 comm="squid_kerb_auth" exe="/usr/lib64/squid/squid_kerb_auth" subj=unconfined_u:system_r:squid_t:s0 key=(null)
type=AVC msg=audit(1302685038.790:66668): avc:  denied  { unlink } for  pid=26730 comm="squid_kerb_auth" name="HTTP_23" dev=dm-0 ino=2753259 scontext=unconfined_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
type=AVC msg=audit(1302685038.790:66668): avc:  denied  { rename } for  pid=26730 comm="squid_kerb_auth" name="krb5_RCRB0OEi" dev=dm-0 ino=2754353 scontext=unconfined_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1302685038.790:66668): avc:  denied  { remove_name } for  pid=26730 comm="squid_kerb_auth" name="krb5_RCRB0OEi" dev=dm-0 ino=2754353 scontext=unconfined_u:system_r:squid_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-82.el6

How reproducible:
100%

Steps to Reproduce:
1. configure squid with kerberos
2. try to connect via curl
  
Actual results:
squid_kerb_auth denials blocking authentication

Expected results:
no denials

Additional info:
Comment 1 Miroslav Grepl 2011-04-13 10:38:40 UTC 
Mirek,
could you test it with the following local policy


policy_module(mysquid, 1.0)

require{
 type squid_t;
}

userdom_manage_user_tmp_dirs(squid_t)
userdom_manage_user_tmp_files(squid_t)
userdom_tmp_filetrans_user_tmp(squid_t, { file dir })
Comment 2 Miroslav Vadkerti 2011-04-13 11:09:48 UTC 
Thanks Mirek, with this module there are no more denials :)

# getenforce 
Enforcing
# semodule -l | grep squid
mysquid 1.0
squid   1.9.0   
# ausearch -ts recent -m avc
<no matches>
Comment 3 Daniel Walsh 2011-04-13 14:35:42 UTC 
Why is squid touching user_tmp_t?  Squid should get its own tmp files, and probably not be writing in /tmp in the first place?


Is squid reading the krbcc name of users on the same system or is it requiring users to provide credentials before using squid.
Comment 4 Nalin Dahyabhai 2011-04-13 14:41:54 UTC 
From what I gather on the web, squid_kerb_auth accepts Negotiate authentication from clients attempting to use the proxy, so it would use a replay cache.
Comment 5 Daniel Walsh 2011-04-13 14:52:53 UTC 
Miroslav V, can you change your mysquid policy to:

policy_module(mysquid, 1.0)

require{
 type squid_t;
}

kerberos_manage_host_rcache(squid_t)

And try that.  Not sure if kernberos maange_host_rchage will be enough.
Comment 6 Daniel Walsh 2011-04-13 14:56:36 UTC 
I think you might end up needing

allow squid_t tmp_t:dir rw_dir_perms;

Which should probably be in the kerberos_manage_host_rcache interface.
Comment 7 Daniel Walsh 2011-04-13 15:00:55 UTC 
I added fixes for this to F15 policy.
Comment 8 Miroslav Vadkerti 2011-04-13 15:16:06 UTC 
Dan, using this module

policy_module(mysquid, 1.2)

require{
 type squid_t;
 type tmp_t;
}

kerberos_manage_host_rcache(squid_t)
allow squid_t tmp_t:dir rw_dir_perms;

I still see AVC like this:

----
time->Wed Apr 13 17:12:46 2011
type=SYSCALL msg=audit(1302707566.512:1696): arch=40000003 syscall=10 success=no exit=-13 a0=1d9df98 a1=0 a2=1e416c a3=1da4084 items=0 ppid=11348 pid=11350 auid=0 uid=23 gid=23 euid=23 suid=23 fsuid=23 egid=23 sgid=23 fsgid=23 tty=(none) ses=219 comm="squid_kerb_auth" exe="/usr/lib/squid/squid_kerb_auth" subj=unconfined_u:system_r:squid_t:s0 key=(null)
type=AVC msg=audit(1302707566.512:1696): avc:  denied  { unlink } for  pid=11350 comm="squid_kerb_auth" name="HTTP_23" dev=dm-0 ino=393454 scontext=unconfined_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
Comment 9 Daniel Walsh 2011-04-13 15:29:22 UTC 
Please remove HTTP_23 and then try.  The problem is you probably ran squid by hand creating the bogusly labelled HTTP_23 file.
Comment 10 Miroslav Vadkerti 2011-04-14 08:22:22 UTC 
Dan I removed the HTTP_23 and have the module from comment 8 loaded, but it sill cannot create the file. I had to enable don't audit rules to see them:

time->Thu Apr 14 10:20:08 2011
type=SYSCALL msg=audit(1302769208.789:130): arch=40000003 syscall=5 success=no exit=-13 a0=11559b0 a1=2c1 a2=180 a3=2c1 items=0 ppid=11053 pid=11055 auid=0 uid=23 gid=23 euid=23 suid=23 fsuid=23 egid=23 sgid=23 fsgid=23 tty=(none) ses=1 comm="squid_kerb_auth" exe="/usr/lib/squid/squid_kerb_auth" subj=unconfined_u:system_r:squid_t:s0 key=(null)
type=AVC msg=audit(1302769208.789:130): avc:  denied  { create } for  pid=11055 comm="squid_kerb_auth" name="HTTP_23" scontext=unconfined_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file
Comment 11 Miroslav Vadkerti 2011-04-14 08:34:46 UTC 
After putting SELinux into permissive mode I see these AVCs:
time->Thu Apr 14 10:32:23 2011
type=SYSCALL msg=audit(1302769943.042:142): arch=40000003 syscall=5 success=yes exit=3 a0=85e255 a1=8000 a2=1b6 a3=85d4d8 items=0 ppid=11603 pid=11604 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="kadmind" exe="/usr/sbin/kadmind" subj=unconfined_u:system_r:kadmind_t:s0 key=(null)
type=AVC msg=audit(1302769943.042:142): avc:  denied  { open } for  pid=11604 comm="kadmind" name="config" dev=dm-0 ino=914485 scontext=unconfined_u:system_r:kadmind_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
type=AVC msg=audit(1302769943.042:142): avc:  denied  { read } for  pid=11604 comm="kadmind" name="config" dev=dm-0 ino=914485 scontext=unconfined_u:system_r:kadmind_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
----
time->Thu Apr 14 10:32:23 2011
type=SYSCALL msg=audit(1302769943.042:143): arch=40000003 syscall=197 success=yes exit=0 a0=3 a1=bfaebc0c a2=ee6ff4 a3=2870438 items=0 ppid=11603 pid=11604 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="kadmind" exe="/usr/sbin/kadmind" subj=unconfined_u:system_r:kadmind_t:s0 key=(null)
type=AVC msg=audit(1302769943.042:143): avc:  denied  { getattr } for  pid=11604 comm="kadmind" path="/etc/selinux/config" dev=dm-0 ino=914485 scontext=unconfined_u:system_r:kadmind_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
----
time->Thu Apr 14 10:32:23 2011
type=SYSCALL msg=audit(1302769943.612:144): arch=40000003 syscall=102 success=no exit=-22 a0=2 a1=bfaec150 a2=4152cc a3=0 items=0 ppid=11603 pid=11604 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="kadmind" exe="/usr/sbin/kadmind" subj=unconfined_u:system_r:kadmind_t:s0 key=(null)
type=AVC msg=audit(1302769943.612:144): avc:  denied  { name_bind } for  pid=11604 comm="kadmind" src=756 scontext=unconfined_u:system_r:kadmind_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket
----
Comment 12 Miroslav Vadkerti 2011-04-14 08:38:00 UTC 
I'm sorry for the previous post of (looks like) unrelated AVCs. The related AVCs seem to be:
time->Thu Apr 14 10:32:59 2011
type=SYSCALL msg=audit(1302769979.125:149): arch=40000003 syscall=197 success=yes exit=0 a0=3 a1=bf841c1c a2=3ffff4 a3=2ae35f0 items=0 ppid=11730 pid=11732 auid=0 uid=23 gid=23 euid=23 suid=23 fsuid=23 egid=23 sgid=23 fsgid=23 tty=(none) ses=1 comm="squid_kerb_auth" exe="/usr/lib/squid/squid_kerb_auth" subj=unconfined_u:system_r:squid_t:s0 key=(null)
type=AVC msg=audit(1302769979.125:149): avc:  denied  { getattr } for  pid=11732 comm="squid_kerb_auth" path="/etc/selinux/config" dev=dm-0 ino=914485 scontext=unconfined_u:system_r:squid_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
----
time->Thu Apr 14 10:32:59 2011
type=SYSCALL msg=audit(1302769979.518:150): arch=40000003 syscall=5 success=yes exit=3 a0=2ae34f0 a1=2c1 a2=180 a3=2c1 items=0 ppid=11730 pid=11732 auid=0 uid=23 gid=23 euid=23 suid=23 fsuid=23 egid=23 sgid=23 fsgid=23 tty=(none) ses=1 comm="squid_kerb_auth" exe="/usr/lib/squid/squid_kerb_auth" subj=unconfined_u:system_r:squid_t:s0 key=(null)
type=AVC msg=audit(1302769979.518:150): avc:  denied  { create } for  pid=11732 comm="squid_kerb_auth" name="HTTP_23" scontext=unconfined_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file
----
time->Thu Apr 14 10:32:59 2011
type=SYSCALL msg=audit(1302769979.124:148): arch=40000003 syscall=5 success=yes exit=3 a0=183255 a1=8000 a2=1b6 a3=1824d8 items=0 ppid=11730 pid=11732 auid=0 uid=23 gid=23 euid=23 suid=23 fsuid=23 egid=23 sgid=23 fsgid=23 tty=(none) ses=1 comm="squid_kerb_auth" exe="/usr/lib/squid/squid_kerb_auth" subj=unconfined_u:system_r:squid_t:s0 key=(null)
type=AVC msg=audit(1302769979.124:148): avc:  denied  { open } for  pid=11732 comm="squid_kerb_auth" name="config" dev=dm-0 ino=914485 scontext=unconfined_u:system_r:squid_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
type=AVC msg=audit(1302769979.124:148): avc:  denied  { read } for  pid=11732 comm="squid_kerb_auth" name="config" dev=dm-0 ino=914485 scontext=unconfined_u:system_r:squid_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
Comment 13 Miroslav Grepl 2011-04-14 09:51:57 UTC 
# getsebool allow_kerberos
Comment 14 Miroslav Vadkerti 2011-04-14 10:29:27 UTC 
allow_kerberos boolean is enabled on my testing machine:

# getsebool allow_kerberos
allow_kerberos --> on

Strange but I cannot reproduce the problems I had in comments 10 and 12 anymore. My test is now passing without denials.

# getenforce 
Enforcing
# semodule -l | grep mysquid
mysquid	1.2	
# cat ~/selinux/mysquid.te
policy_module(mysquid, 1.2)

require{
 type squid_t;
 type tmp_t;
}

kerberos_manage_host_rcache(squid_t)
allow squid_t tmp_t:dir rw_dir_perms;

I think this bug is now resolved, thanks everyone!
Comment 15 Daniel Walsh 2011-04-14 13:42:53 UTC 
Miroslav I think we also need.

/var/tmp/HTTP_23		-- 	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
Comment 18 Miroslav Grepl 2011-04-19 11:23:43 UTC 
Fixed in selinux-policy-3.7.19-86.el6
Comment 21 errata-xmlrpc 2011-05-19 12:27:42 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0526.html