732757 – Authentication issues while using Kerberos and SELinux in enforcing mode

Bug 732757 - Authentication issues while using Kerberos and SELinux in enforcing mode

Summary: Authentication issues while using Kerberos and SELinux in enforcing mode

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.1
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-08-23 13:59 UTC by Pavel Snajdr
Modified:	2018-07-16 17:10 UTC (History)
CC List:	7 users (show)
Fixed In Version:	selinux-policy-3.7.19-108.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-12-06 10:13:23 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2011:1511	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2011-12-06 00:39:17 UTC

Description Pavel Snajdr 2011-08-23 13:59:06 UTC

Kerberos Authentication for CUPS web interface is not working when selinux is in enforcing mode.

CUPS package version:
cups-1.4.2-39.el6.x86_64

-------------------------------------
/var/log/cups/error_log:

E [23/Aug/2011:09:14:33 -0400] cupsdAuthorize: pam_authenticate() returned 7 (Authentication failure)!

-------------------------------------
AVC, confirmed to be solving the issue:

type=AVC msg=audit(1314106699.568:97774): avc:  denied  { unlink } for  pid=2553 comm="cupsd" name="host_0" dev=sda3 ino=3663569 scontext=unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1314106699.568:97774): arch=c000003e syscall=87 success=no exit=-13 a0=7f1ce094a8b0 a1=ffffffff a2=0 a3=10 items=0 ppid=1 pid=2553 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2076 comm="cupsd" exe="/usr/sbin/cupsd" subj=unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)
type=USER_AUTH msg=audit(1314106701.647:97775): user pid=2553 uid=0 auid=0 ses=2076 subj=unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct="jmontleo" exe="/usr/sbin/cupsd" hostname=10.11.131.75 addr=10.11.131.75 terminal=cups res=failed'

module cupsauth 1.0;

require {
	type user_tmp_t;
	type cupsd_t;
	class file unlink;
}

#============= cupsd_t ==============
allow cupsd_t user_tmp_t:file unlink;

Comment 1 Tim Waugh 2011-08-23 14:04:10 UTC

Nalin: this seems to be in pam_krb5 -- any idea what's going on here?  Does this allow line look right to you?

Comment 3 Nalin Dahyabhai 2011-08-23 16:11:07 UTC

Tim, this is cups needing to be able to manipulate Kerberos replay caches, specifically being able to purge expired entries from them.  Dan, is cupsd_t one of the domains that can do that in the upcoming RHEL 6 builds (either directly, or as a user of PAM)?

Comment 4 Daniel Walsh 2011-08-23 19:14:03 UTC

Miroslav add


optional_policy(`
	kerberos_manage_host_rcache(cupsd_t)
')

Comment 5 Miroslav Grepl 2011-08-24 15:29:01 UTC

Fixed in selinux-policy-3.7.19-108.el6

Comment 6 Pavel Snajdr 2011-08-25 06:26:12 UTC

Thanks everyone for such a fast resolution! Greatly appreciated!

Comment 9 errata-xmlrpc 2011-12-06 10:13:23 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1511.html

Note You need to log in before you can comment on or make changes to this bug.