Bug 732757 - Authentication issues while using Kerberos and SELinux in enforcing mode
Summary: Authentication issues while using Kerberos and SELinux in enforcing mode
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.1
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-08-23 13:59 UTC by Pavel Snajdr
Modified: 2018-07-16 17:10 UTC (History)
7 users (show)

Fixed In Version: selinux-policy-3.7.19-108.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-12-06 10:13:23 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:1511 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2011-12-06 00:39:17 UTC

Description Pavel Snajdr 2011-08-23 13:59:06 UTC
Kerberos Authentication for CUPS web interface is not working when selinux is in enforcing mode.

CUPS package version:
cups-1.4.2-39.el6.x86_64

-------------------------------------
/var/log/cups/error_log:

E [23/Aug/2011:09:14:33 -0400] cupsdAuthorize: pam_authenticate() returned 7 (Authentication failure)!

-------------------------------------
AVC, confirmed to be solving the issue:

type=AVC msg=audit(1314106699.568:97774): avc:  denied  { unlink } for  pid=2553 comm="cupsd" name="host_0" dev=sda3 ino=3663569 scontext=unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1314106699.568:97774): arch=c000003e syscall=87 success=no exit=-13 a0=7f1ce094a8b0 a1=ffffffff a2=0 a3=10 items=0 ppid=1 pid=2553 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2076 comm="cupsd" exe="/usr/sbin/cupsd" subj=unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)
type=USER_AUTH msg=audit(1314106701.647:97775): user pid=2553 uid=0 auid=0 ses=2076 subj=unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct="jmontleo" exe="/usr/sbin/cupsd" hostname=10.11.131.75 addr=10.11.131.75 terminal=cups res=failed'

module cupsauth 1.0;

require {
	type user_tmp_t;
	type cupsd_t;
	class file unlink;
}

#============= cupsd_t ==============
allow cupsd_t user_tmp_t:file unlink;

Comment 1 Tim Waugh 2011-08-23 14:04:10 UTC
Nalin: this seems to be in pam_krb5 -- any idea what's going on here?  Does this allow line look right to you?

Comment 3 Nalin Dahyabhai 2011-08-23 16:11:07 UTC
Tim, this is cups needing to be able to manipulate Kerberos replay caches, specifically being able to purge expired entries from them.  Dan, is cupsd_t one of the domains that can do that in the upcoming RHEL 6 builds (either directly, or as a user of PAM)?

Comment 4 Daniel Walsh 2011-08-23 19:14:03 UTC
Miroslav add


optional_policy(`
	kerberos_manage_host_rcache(cupsd_t)
')

Comment 5 Miroslav Grepl 2011-08-24 15:29:01 UTC
Fixed in selinux-policy-3.7.19-108.el6

Comment 6 Pavel Snajdr 2011-08-25 06:26:12 UTC
Thanks everyone for such a fast resolution! Greatly appreciated!

Comment 9 errata-xmlrpc 2011-12-06 10:13:23 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1511.html


Note You need to log in before you can comment on or make changes to this bug.