Bug 714960 - SELinux is preventing the krb5_child from using potentially mislabeled files (./.k5login).
SELinux is preventing the krb5_child from using potentially mislabeled files ...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.7
All Linux
urgent Severity urgent
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
: ZStream
: 716238 (view as bug list)
Depends On:
Blocks: 720678
  Show dependency treegraph
 
Reported: 2011-06-21 08:48 EDT by Kaushik Banerjee
Modified: 2012-10-16 07:03 EDT (History)
6 users (show)

See Also:
Fixed In Version: selinux-policy-2.4.6-316.el5
Doc Type: Bug Fix
Doc Text:
Previously, SELinux prevented the krb5_child command from running because the .k5login file had the wrong security context. With this update, the bug in the appropriate SELinux policy has been fixed, and krb5_child now works as expected.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-07-21 05:18:55 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Kaushik Banerjee 2011-06-21 08:48:59 EDT
This is somewhat similar to bug 713078. Although 713078 is fixed, the functionality works only when selinux is in permissive mode.


Steps to Reproduce:
1. domain section of sssd.conf
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = default
debug_level = 9

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
debug_level = 9

[pam]
reconnection_retries = 3
debug_level = 9

[domain/default]
debug_level = 9
id_provider = ldap
ldap_uri = ldap://cobra.lab.eng.pnq.redhat.com
ldap_search_base = dc=example,dc=com
auth_provider = krb5
access_provider = krb5
krb5_server = cobra.lab.eng.pnq.redhat.com
krb5_realm = EXAMPLE.COM

2. add user puser1(home dir set to /home/puser1), to ldap and kerberos
3. > /home/puser1/.k5login(empty file should deny access for puser1)
4. chown puser1 /home/puser1/.k5login
5. restorecon /home/puser1/.k5login
6. # ll -Z /home/puser1/.k5login 
-rw-r--r--  puser1 root root:object_r:user_home_t        /home/puser1/.k5login

7. login as puser1
# ssh -l puser1 localhost
puser1@localhost's password: 
Last login: Tue Jun 14 12:02:05 2011 from localhost.localdomain
-sh-3.2$ 

Actual results:
1. Login does not fail(selinux: enforcing).
2. Login fails(as expected) and shows the below alerts(selinux: permissive).

Expected results:
SELinux alert should not appear and puser1 should not be able to login.

Additional Info:
1. Also tried "chcon -t krb5_conf_t /home/puser1/.k5login" from bug 501107, comment 1 . The selinux alerts doesn't appear now, but login still does not fail.
2. puser1 is unable to login after setting selinux to permissive mode.


SELinux Alert Summary:

SELinux is preventing the krb5_child from using potentially mislabeled files
(./.k5login).

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux has denied krb5_child access to potentially mislabeled file(s)
(./.k5login). This means that SELinux will not allow krb5_child to use these
files. It is common for users to edit files in their home directory or tmp
directories and then move (mv) them to system directories. The problem is that
the files end up with the wrong file context which confined applications are not
allowed to access.

Allowing Access:

If you want krb5_child to access this files, you need to relabel them using
restorecon -v './.k5login'. You might want to relabel the entire directory using
restorecon -R -v '.'.

Additional Information:

Source Context                root:system_r:sssd_t
Target Context                user_u:object_r:user_home_t
Target Objects                ./.k5login [ file ]
Source                        krb5_child
Source Path                   /usr/libexec/sssd/krb5_child
Port                          <Unknown>
Host                          jetfire.lab.eng.pnq.redhat.com
Source RPM Packages           sssd-1.5.1-37.el5
Target RPM Packages           
Policy RPM                    selinux-policy-2.4.6-312.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   home_tmp_bad_labels
Host Name                     jetfire.lab.eng.pnq.redhat.com
Platform                      Linux jetfire.lab.eng.pnq.redhat.com
                              2.6.18-268.el5 #1 SMP Tue Jun 14 18:24:50 EDT 2011
                              x86_64 x86_64
Alert Count                   7
First Seen                    Tue Jun 21 16:07:53 2011
Last Seen                     Tue Jun 21 16:18:29 2011
Local ID                      0f4b5bfc-a04f-41e7-abc6-4977553bf752
Line Numbers                  

Raw Audit Messages            

host=jetfire.lab.eng.pnq.redhat.com type=AVC msg=audit(1308653309.248:193): avc:  denied  { read } for  pid=3124 comm="krb5_child" name=".k5login" dev=dm-0 ino=325834 scontext=root:system_r:sssd_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=file

host=jetfire.lab.eng.pnq.redhat.com type=SYSCALL msg=audit(1308653309.248:193): arch=c000003e syscall=2 success=yes exit=0 a0=193a9b10 a1=0 a2=1b6 a3=0 items=0 ppid=2669 pid=3124 auid=0 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=1 comm="krb5_child" exe="/usr/libexec/sssd/krb5_child" subj=root:system_r:sssd_t:s0 key=(null)
Comment 1 Kaushik Banerjee 2011-06-21 08:51:26 EDT
2nd SELinux alert seen with the above test case in permissive mode:

Summary:

SELinux is preventing the krb5_child from using potentially mislabeled files
(/home/puser1/.k5login).

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux has denied krb5_child access to potentially mislabeled file(s)
(/home/puser1/.k5login). This means that SELinux will not allow krb5_child to
use these files. It is common for users to edit files in their home directory or
tmp directories and then move (mv) them to system directories. The problem is
that the files end up with the wrong file context which confined applications
are not allowed to access.

Allowing Access:

If you want krb5_child to access this files, you need to relabel them using
restorecon -v '/home/puser1/.k5login'. You might want to relabel the entire
directory using restorecon -R -v '/home/puser1'.

Additional Information:

Source Context                root:system_r:sssd_t
Target Context                root:object_r:user_home_t
Target Objects                /home/puser1/.k5login [ file ]
Source                        krb5_child
Source Path                   /usr/libexec/sssd/krb5_child
Port                          <Unknown>
Host                          jetfire.lab.eng.pnq.redhat.com
Source RPM Packages           sssd-1.5.1-37.el5
Target RPM Packages           
Policy RPM                    selinux-policy-2.4.6-312.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   home_tmp_bad_labels
Host Name                     jetfire.lab.eng.pnq.redhat.com
Platform                      Linux jetfire.lab.eng.pnq.redhat.com
                              2.6.18-268.el5 #1 SMP Tue Jun 14 18:24:50 EDT 2011
                              x86_64 x86_64
Alert Count                   4
First Seen                    Tue Jun 14 12:00:25 2011
Last Seen                     Tue Jun 21 17:50:30 2011
Local ID                      49a2b94c-db0d-406b-958a-040aff7866df
Line Numbers                  

Raw Audit Messages            

host=jetfire.lab.eng.pnq.redhat.com type=AVC msg=audit(1308658830.575:375): avc:  denied  { getattr } for  pid=4100 comm="krb5_child" path="/home/puser1/.k5login" dev=dm-0 ino=550784 scontext=root:system_r:sssd_t:s0 tcontext=root:object_r:user_home_t:s0 tclass=file

host=jetfire.lab.eng.pnq.redhat.com type=SYSCALL msg=audit(1308658830.575:375): arch=c000003e syscall=5 success=yes exit=0 a0=0 a1=7fff2ea7ec10 a2=7fff2ea7ec10 a3=6165726373662f72 items=0 ppid=2669 pid=4100 auid=0 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=1 comm="krb5_child" exe="/usr/libexec/sssd/krb5_child" subj=root:system_r:sssd_t:s0 key=(null)
Comment 2 Milos Malik 2011-06-21 09:45:30 EDT
restorecon and matchpathcon don't know that ~/.k5login should be labelled krb5_conf_t. Could we add that information to selinux-policy?
Comment 3 Miroslav Grepl 2011-06-21 11:42:50 EDT
Kaushik, 
what was wrong with 

# chcon -t krb5_conf_t /home/puser1/.k5login

were you seeing other avc messages?
Comment 5 Kaushik Banerjee 2011-06-21 12:33:43 EDT
(In reply to comment #3)
> Kaushik, 
> what was wrong with 
> 
> # chcon -t krb5_conf_t /home/puser1/.k5login
> 
> were you seeing other avc messages?

Before this command, only the above 2 alerts were seen. With "chcon -t krb5_conf_t /home/puser1/.k5login" the above mentioned 2 selinux alerts doesn't appear.

However, the test still fails in selinux:enforcing mode with that command, and I don't see any alerts. The test passes in selinux:permissive mode, but again I don't see any alerts.
Comment 6 Miroslav Grepl 2011-06-21 12:44:04 EDT
I am going to build a new rhel5 package which will be available in 20 minutes.
Comment 8 Miroslav Grepl 2011-06-21 13:05:47 EDT
selinux-policy-2.4.6-314.el5 is done. Could you test it with this build.

https://brewweb.devel.redhat.com/buildinfo?buildID=169394

Run your steps to reproduce

2. add user puser1(home dir set to /home/puser1), to ldap and kerberos
3. > /home/puser1/.k5login(empty file should deny access for puser1)
4. chown puser1 /home/puser1/.k5login
5. restorecon /home/puser1/.k5login
6. # ll -Z /home/puser1/.k5login 


.k5login should get the right context. 

If yes, and it won't work and you won't see any avc msgs in permissive mode
then execute

# semodule -DB

and try again.
Comment 9 Kaushik Banerjee 2011-06-21 13:25:28 EDT
Using selinux-policy-2.4.6-314.el5, the test case passes in selinux:enforcing mode now.

However, I see the following message in /var/log/message:
<snip>
Jun 21 22:49:09 jetfire krb5_child: /etc/selinux/targeted/contexts/files/file_contexts: Multiple different specifications for /root/\.k5login  (root:object_r:krb5_home_t:s0 and system_u:object_r:krb5_home_t:s0). 
Jun 21 22:49:44 jetfire last message repeated 2 times
Jun 21 22:50:46 jetfire last message repeated 2 times
Jun 21 22:51:49 jetfire last message repeated 2 times
Jun 21 22:52:51 jetfire last message repeated 2 times
Jun 21 22:54:21 jetfire last message repeated 3 times
</snip>
Comment 10 Milos Malik 2011-06-22 02:54:10 EDT
I see it too:

Jun 22 02:51:53 auto-i386-002 restorecon: /etc/selinux/targeted/contexts/files/file_contexts: Multiple different specifications for /root/\.k5login  (root:object_r:krb5_home_t:s0 and system_u:object_r:krb5_home_t:s0).
Comment 11 Miroslav Grepl 2011-06-22 04:10:50 EDT
Milos, 
try it with the latest -315 release.
Comment 12 Milos Malik 2011-06-22 04:22:34 EDT
I already did. "multiple different specifications" messages do not appear any more. restorecon and matchpathcon work as expected.
Comment 13 Daniel Walsh 2011-06-22 10:01:29 EDT
THis should be labeled krb5_home_t.
Comment 16 Kaushik Banerjee 2011-06-23 03:22:08 EDT
Using selinux-policy-2.4.6-315.el5, the test passes in selinux:enforcing mode and no more "multiple different specifications" messages are seen.
Comment 19 Miroslav Grepl 2011-06-24 08:52:36 EDT
*** Bug 716238 has been marked as a duplicate of this bug. ***
Comment 20 Miroslav Grepl 2011-06-24 09:44:07 EDT
Fixed in  selinux-policy-2.4.6-316.el5
Comment 25 Tomas Capek 2011-07-15 09:10:57 EDT
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Previously, SELinux prevented the krb5_child command from running because the .k5login file had the wrong security context. With this update, the bug in the appropriate SELinux policy has been fixed, and krb5_child now works as expected.
Comment 26 errata-xmlrpc 2011-07-21 05:18:55 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1069.html
Comment 27 errata-xmlrpc 2011-07-21 07:57:40 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1069.html

Note You need to log in before you can comment on or make changes to this bug.