Bug 716238 - SELinux is preventing the klogind from using potentially mislabeled files (./.k5login)
SELinux is preventing the klogind from using potentially mislabeled files (./...
Status: CLOSED DUPLICATE of bug 714960
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.7
All Linux
urgent Severity urgent
: rc
: ---
Assigned To: Miroslav Grepl
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2011-06-23 14:41 EDT by Kaushik Banerjee
Modified: 2011-06-27 05:56 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-06-24 08:52:36 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Kaushik Banerjee 2011-06-23 14:41:30 EDT
This got caught in the automation runs(Using /usr/kerberos/bin/rlogin client in the automation run).

I guess, this will apply for all the clients mentioned in bug 501107, comment 4

Summary:

SELinux is preventing the klogind from using potentially mislabeled files
(./.k5login).

Detailed Description:

SELinux has denied klogind access to potentially mislabeled file(s)
(./.k5login). This means that SELinux will not allow klogind to use these files.
It is common for users to edit files in their home directory or tmp directories
and then move (mv) them to system directories. The problem is that the files end
up with the wrong file context which confined applications are not allowed to
access.

Allowing Access:

If you want klogind to access this files, you need to relabel them using
restorecon -v './.k5login'. You might want to relabel the entire directory using
restorecon -R -v '.'.

Additional Information:

Source Context                root:system_r:rlogind_t:SystemLow-SystemHigh
Target Context                user_u:object_r:krb5_home_t
Target Objects                ./.k5login [ file ]
Source                        klogind
Source Path                   /usr/kerberos/sbin/klogind
Port                          <Unknown>
Host                          jetfire.lab.eng.pnq.redhat.com
Source RPM Packages           krb5-workstation-1.6.1-62.el5
Target RPM Packages           
Policy RPM                    selinux-policy-2.4.6-315.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   home_tmp_bad_labels
Host Name                     jetfire.lab.eng.pnq.redhat.com
Platform                      Linux jetfire.lab.eng.pnq.redhat.com
                              2.6.18-269.el5 #1 SMP Tue Jun 21 16:22:46 EDT 2011
                              x86_64 x86_64
Alert Count                   2
First Seen                    Thu Jun 23 23:58:21 2011
Last Seen                     Fri Jun 24 00:00:03 2011
Local ID                      3b9d9f6f-0c8e-4c87-b90e-f710db0cdbce
Line Numbers                  

Raw Audit Messages            

host=jetfire.lab.eng.pnq.redhat.com type=AVC msg=audit(1308853803.517:163): avc:  denied  { read } for  pid=3923 comm="klogind" name=".k5login" dev=dm-0 ino=550589 scontext=root:system_r:rlogind_t:s0-s0:c0.c1023 tcontext=user_u:object_r:krb5_home_t:s0 tclass=file

host=jetfire.lab.eng.pnq.redhat.com type=SYSCALL msg=audit(1308853803.517:163): arch=c000003e syscall=2 success=no exit=-13 a0=2b2f84b572d0 a1=0 a2=1b6 a3=0 items=0 ppid=3753 pid=3923 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=10 comm="klogind" exe="/usr/kerberos/sbin/klogind" subj=root:system_r:rlogind_t:s0-s0:c0.c1023 key=(null)
Comment 1 Miroslav Grepl 2011-06-24 08:21:30 EDT
The problem is we don't have 

auth_login_pgm_domain(rlogind_t)

in RHEL5.
Comment 2 Miroslav Grepl 2011-06-24 08:52:36 EDT

*** This bug has been marked as a duplicate of bug 714960 ***

Note You need to log in before you can comment on or make changes to this bug.