Bug 732757 - Authentication issues while using Kerberos and SELinux in enforcing mode
Summary: Authentication issues while using Kerberos and SELinux in enforcing mode
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.1
Hardware: All
OS: Linux
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
Depends On:
TreeView+ depends on / blocked
Reported: 2011-08-23 13:59 UTC by Pavel Snajdr
Modified: 2018-07-16 17:10 UTC (History)
7 users (show)

Fixed In Version: selinux-policy-3.7.19-108.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2011-12-06 10:13:23 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:1511 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2011-12-06 00:39:17 UTC

Description Pavel Snajdr 2011-08-23 13:59:06 UTC
Kerberos Authentication for CUPS web interface is not working when selinux is in enforcing mode.

CUPS package version:


E [23/Aug/2011:09:14:33 -0400] cupsdAuthorize: pam_authenticate() returned 7 (Authentication failure)!

AVC, confirmed to be solving the issue:

type=AVC msg=audit(1314106699.568:97774): avc:  denied  { unlink } for  pid=2553 comm="cupsd" name="host_0" dev=sda3 ino=3663569 scontext=unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1314106699.568:97774): arch=c000003e syscall=87 success=no exit=-13 a0=7f1ce094a8b0 a1=ffffffff a2=0 a3=10 items=0 ppid=1 pid=2553 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2076 comm="cupsd" exe="/usr/sbin/cupsd" subj=unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)
type=USER_AUTH msg=audit(1314106701.647:97775): user pid=2553 uid=0 auid=0 ses=2076 subj=unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct="jmontleo" exe="/usr/sbin/cupsd" hostname= addr= terminal=cups res=failed'

module cupsauth 1.0;

require {
	type user_tmp_t;
	type cupsd_t;
	class file unlink;

#============= cupsd_t ==============
allow cupsd_t user_tmp_t:file unlink;

Comment 1 Tim Waugh 2011-08-23 14:04:10 UTC
Nalin: this seems to be in pam_krb5 -- any idea what's going on here?  Does this allow line look right to you?

Comment 3 Nalin Dahyabhai 2011-08-23 16:11:07 UTC
Tim, this is cups needing to be able to manipulate Kerberos replay caches, specifically being able to purge expired entries from them.  Dan, is cupsd_t one of the domains that can do that in the upcoming RHEL 6 builds (either directly, or as a user of PAM)?

Comment 4 Daniel Walsh 2011-08-23 19:14:03 UTC
Miroslav add


Comment 5 Miroslav Grepl 2011-08-24 15:29:01 UTC
Fixed in selinux-policy-3.7.19-108.el6

Comment 6 Pavel Snajdr 2011-08-25 06:26:12 UTC
Thanks everyone for such a fast resolution! Greatly appreciated!

Comment 9 errata-xmlrpc 2011-12-06 10:13:23 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.