This is somewhat similar to bug 713078. Although 713078 is fixed, the functionality works only when selinux is in permissive mode. Steps to Reproduce: 1. domain section of sssd.conf [sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam domains = default debug_level = 9 [nss] filter_groups = root filter_users = root reconnection_retries = 3 debug_level = 9 [pam] reconnection_retries = 3 debug_level = 9 [domain/default] debug_level = 9 id_provider = ldap ldap_uri = ldap://cobra.lab.eng.pnq.redhat.com ldap_search_base = dc=example,dc=com auth_provider = krb5 access_provider = krb5 krb5_server = cobra.lab.eng.pnq.redhat.com krb5_realm = EXAMPLE.COM 2. add user puser1(home dir set to /home/puser1), to ldap and kerberos 3. > /home/puser1/.k5login(empty file should deny access for puser1) 4. chown puser1 /home/puser1/.k5login 5. restorecon /home/puser1/.k5login 6. # ll -Z /home/puser1/.k5login -rw-r--r-- puser1 root root:object_r:user_home_t /home/puser1/.k5login 7. login as puser1 # ssh -l puser1 localhost puser1@localhost's password: Last login: Tue Jun 14 12:02:05 2011 from localhost.localdomain -sh-3.2$ Actual results: 1. Login does not fail(selinux: enforcing). 2. Login fails(as expected) and shows the below alerts(selinux: permissive). Expected results: SELinux alert should not appear and puser1 should not be able to login. Additional Info: 1. Also tried "chcon -t krb5_conf_t /home/puser1/.k5login" from bug 501107, comment 1 . The selinux alerts doesn't appear now, but login still does not fail. 2. puser1 is unable to login after setting selinux to permissive mode. SELinux Alert Summary: SELinux is preventing the krb5_child from using potentially mislabeled files (./.k5login). Detailed Description: [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] SELinux has denied krb5_child access to potentially mislabeled file(s) (./.k5login). This means that SELinux will not allow krb5_child to use these files. It is common for users to edit files in their home directory or tmp directories and then move (mv) them to system directories. The problem is that the files end up with the wrong file context which confined applications are not allowed to access. Allowing Access: If you want krb5_child to access this files, you need to relabel them using restorecon -v './.k5login'. You might want to relabel the entire directory using restorecon -R -v '.'. Additional Information: Source Context root:system_r:sssd_t Target Context user_u:object_r:user_home_t Target Objects ./.k5login [ file ] Source krb5_child Source Path /usr/libexec/sssd/krb5_child Port <Unknown> Host jetfire.lab.eng.pnq.redhat.com Source RPM Packages sssd-1.5.1-37.el5 Target RPM Packages Policy RPM selinux-policy-2.4.6-312.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name home_tmp_bad_labels Host Name jetfire.lab.eng.pnq.redhat.com Platform Linux jetfire.lab.eng.pnq.redhat.com 2.6.18-268.el5 #1 SMP Tue Jun 14 18:24:50 EDT 2011 x86_64 x86_64 Alert Count 7 First Seen Tue Jun 21 16:07:53 2011 Last Seen Tue Jun 21 16:18:29 2011 Local ID 0f4b5bfc-a04f-41e7-abc6-4977553bf752 Line Numbers Raw Audit Messages host=jetfire.lab.eng.pnq.redhat.com type=AVC msg=audit(1308653309.248:193): avc: denied { read } for pid=3124 comm="krb5_child" name=".k5login" dev=dm-0 ino=325834 scontext=root:system_r:sssd_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=file host=jetfire.lab.eng.pnq.redhat.com type=SYSCALL msg=audit(1308653309.248:193): arch=c000003e syscall=2 success=yes exit=0 a0=193a9b10 a1=0 a2=1b6 a3=0 items=0 ppid=2669 pid=3124 auid=0 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=1 comm="krb5_child" exe="/usr/libexec/sssd/krb5_child" subj=root:system_r:sssd_t:s0 key=(null)
2nd SELinux alert seen with the above test case in permissive mode: Summary: SELinux is preventing the krb5_child from using potentially mislabeled files (/home/puser1/.k5login). Detailed Description: [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] SELinux has denied krb5_child access to potentially mislabeled file(s) (/home/puser1/.k5login). This means that SELinux will not allow krb5_child to use these files. It is common for users to edit files in their home directory or tmp directories and then move (mv) them to system directories. The problem is that the files end up with the wrong file context which confined applications are not allowed to access. Allowing Access: If you want krb5_child to access this files, you need to relabel them using restorecon -v '/home/puser1/.k5login'. You might want to relabel the entire directory using restorecon -R -v '/home/puser1'. Additional Information: Source Context root:system_r:sssd_t Target Context root:object_r:user_home_t Target Objects /home/puser1/.k5login [ file ] Source krb5_child Source Path /usr/libexec/sssd/krb5_child Port <Unknown> Host jetfire.lab.eng.pnq.redhat.com Source RPM Packages sssd-1.5.1-37.el5 Target RPM Packages Policy RPM selinux-policy-2.4.6-312.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name home_tmp_bad_labels Host Name jetfire.lab.eng.pnq.redhat.com Platform Linux jetfire.lab.eng.pnq.redhat.com 2.6.18-268.el5 #1 SMP Tue Jun 14 18:24:50 EDT 2011 x86_64 x86_64 Alert Count 4 First Seen Tue Jun 14 12:00:25 2011 Last Seen Tue Jun 21 17:50:30 2011 Local ID 49a2b94c-db0d-406b-958a-040aff7866df Line Numbers Raw Audit Messages host=jetfire.lab.eng.pnq.redhat.com type=AVC msg=audit(1308658830.575:375): avc: denied { getattr } for pid=4100 comm="krb5_child" path="/home/puser1/.k5login" dev=dm-0 ino=550784 scontext=root:system_r:sssd_t:s0 tcontext=root:object_r:user_home_t:s0 tclass=file host=jetfire.lab.eng.pnq.redhat.com type=SYSCALL msg=audit(1308658830.575:375): arch=c000003e syscall=5 success=yes exit=0 a0=0 a1=7fff2ea7ec10 a2=7fff2ea7ec10 a3=6165726373662f72 items=0 ppid=2669 pid=4100 auid=0 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=1 comm="krb5_child" exe="/usr/libexec/sssd/krb5_child" subj=root:system_r:sssd_t:s0 key=(null)
restorecon and matchpathcon don't know that ~/.k5login should be labelled krb5_conf_t. Could we add that information to selinux-policy?
Kaushik, what was wrong with # chcon -t krb5_conf_t /home/puser1/.k5login were you seeing other avc messages?
(In reply to comment #3) > Kaushik, > what was wrong with > > # chcon -t krb5_conf_t /home/puser1/.k5login > > were you seeing other avc messages? Before this command, only the above 2 alerts were seen. With "chcon -t krb5_conf_t /home/puser1/.k5login" the above mentioned 2 selinux alerts doesn't appear. However, the test still fails in selinux:enforcing mode with that command, and I don't see any alerts. The test passes in selinux:permissive mode, but again I don't see any alerts.
I am going to build a new rhel5 package which will be available in 20 minutes.
selinux-policy-2.4.6-314.el5 is done. Could you test it with this build. https://brewweb.devel.redhat.com/buildinfo?buildID=169394 Run your steps to reproduce 2. add user puser1(home dir set to /home/puser1), to ldap and kerberos 3. > /home/puser1/.k5login(empty file should deny access for puser1) 4. chown puser1 /home/puser1/.k5login 5. restorecon /home/puser1/.k5login 6. # ll -Z /home/puser1/.k5login .k5login should get the right context. If yes, and it won't work and you won't see any avc msgs in permissive mode then execute # semodule -DB and try again.
Using selinux-policy-2.4.6-314.el5, the test case passes in selinux:enforcing mode now. However, I see the following message in /var/log/message: <snip> Jun 21 22:49:09 jetfire krb5_child: /etc/selinux/targeted/contexts/files/file_contexts: Multiple different specifications for /root/\.k5login (root:object_r:krb5_home_t:s0 and system_u:object_r:krb5_home_t:s0). Jun 21 22:49:44 jetfire last message repeated 2 times Jun 21 22:50:46 jetfire last message repeated 2 times Jun 21 22:51:49 jetfire last message repeated 2 times Jun 21 22:52:51 jetfire last message repeated 2 times Jun 21 22:54:21 jetfire last message repeated 3 times </snip>
I see it too: Jun 22 02:51:53 auto-i386-002 restorecon: /etc/selinux/targeted/contexts/files/file_contexts: Multiple different specifications for /root/\.k5login (root:object_r:krb5_home_t:s0 and system_u:object_r:krb5_home_t:s0).
Milos, try it with the latest -315 release.
I already did. "multiple different specifications" messages do not appear any more. restorecon and matchpathcon work as expected.
THis should be labeled krb5_home_t.
Using selinux-policy-2.4.6-315.el5, the test passes in selinux:enforcing mode and no more "multiple different specifications" messages are seen.
*** Bug 716238 has been marked as a duplicate of this bug. ***
Fixed in selinux-policy-2.4.6-316.el5
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Previously, SELinux prevented the krb5_child command from running because the .k5login file had the wrong security context. With this update, the bug in the appropriate SELinux policy has been fixed, and krb5_child now works as expected.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-1069.html