Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
For bugs related to Red Hat Enterprise Linux 5 product line. The current stable release is 5.10. For Red Hat Enterprise Linux 6 and above, please visit Red Hat JIRA https://issues.redhat.com/secure/CreateIssue!default.jspa?pid=12332745 to report new issues.

Bug 785076

Summary: SELinux is preventing krb5_child (sssd_t) "write" to ./coolkey (auth_cache_t)
Product: Red Hat Enterprise Linux 5 Reporter: Kaushik Banerjee <kbanerje>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 5.8CC: dwalsh, mmalik, nalin, sgallagh
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-2.4.6-328.el5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-01-08 03:31:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Kaushik Banerjee 2012-01-27 07:30:12 UTC 
Description of problem:
SELinux is preventing krb5_child (sssd_t) "write" to ./coolkey (auth_cache_t)

Version-Release number of selected component (if applicable):
selinux-policy-2.4.6-326.el5

How reproducible:
Always

Steps to Reproduce:
1. Configure sssd to perform auth against AD with the following config:
[domain/AD]
cache_credentials = True
ldap_schema = rfc2307bis
ldap_group_object_class = group
ldap_id_use_start_tls = True
debug_level = 9
ldap_force_upper_case_realm = True
ldap_user_principal = userPrincipalName
ldap_user_object_class = person
ldap_tls_cacert = /etc/openldap/cacerts/AD_cert.pem
ldap_search_base = dc=sssdad,dc=com
id_provider = ldap
ldap_default_bind_dn = cn=Administrator,cn=Users,dc=sssdad,dc=com
ldap_uri = _srv_
ldap_user_home_directory = unixHomeDirectory
ldap_default_authtok = XXXXXX
dns_discovery_domain = sssdad.com
auth_provider = krb5
krb5_realm = SSSDAD.COM
krb5_server = _srv_
ldap_group_nesting_level = 10

  
Actual results:
Auth works fine, but following avc appears.

Detailed Description:

SELinux denied access requested by krb5_child. It is not expected that this
access is required by krb5_child and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration
of the
application is causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to
restore
the default system file context for ./coolkey,

restorecon -v './coolkey'

If this does not work, there is currently no automatic way to allow this
access.
Instead, you can generate a local policy module to allow this access -
see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                root:system_r:sssd_t
Target Context                system_u:object_r:auth_cache_t
Target Objects                ./coolkey [ dir ]
Source                        krb5_child
Source Path                   /usr/libexec/sssd/krb5_child
Port                          <Unknown>
Host                          dhcp201-204.englab.pnq.redhat.com
Source RPM Packages           sssd-1.5.1-49.el5
Target RPM Packages          
Policy RPM                    selinux-policy-2.4.6-326.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     dhcp201-204.englab.pnq.redhat.com
Platform                      Linux dhcp201-204.englab.pnq.redhat.com
                              2.6.18-305.el5 #1 SMP Mon Jan 16 17:42:10
EST 2012
                              x86_64 x86_64
Alert Count                   16
First Seen                    Mon Jan  9 14:14:24 2012
Last Seen                     Wed Jan 25 15:24:39 2012
Local ID                      19103597-87d5-40c4-bd61-7725d3345e8f
Line Numbers                 

Raw Audit Messages           

host=dhcp201-204.englab.pnq.redhat.com type=AVC
msg=audit(1327485279.113:727): avc:  denied  { write } for  pid=15909
comm="krb5_child" name="coolkey" dev=dm-0 ino=964329
scontext=root:system_r:sssd_t:s0
tcontext=system_u:object_r:auth_cache_t:s0 tclass=dir

host=dhcp201-204.englab.pnq.redhat.com type=SYSCALL
msg=audit(1327485279.113:727): arch=c000003e syscall=2 success=no
exit=-13 a0=4051a60 a1=4c2 a2=180 a3=0 items=0 ppid=15853 pid=15909
auid=0 uid=11001 gid=11001 euid=11001 suid=11001 fsuid=11001 egid=11001
sgid=11001 fsgid=11001 tty=(none) ses=77 comm="krb5_child"
exe="/usr/libexec/sssd/krb5_child" subj=root:system_r:sssd_t:s0 key=(null)


Expected results:


Additional info:
Comment 1 Kaushik Banerjee 2012-01-27 07:33:00 UTC 
Comment from Nalin in the email thread regarding this issue:

The Kerberos library can load the pkinit module, which on RHEL 5 uses NSS, which can be configured to use the coolkey module.  Expect this to happen if a KDC which the client (on RHEL 5 or 6) contacts advertises that it supports PKINIT.

This should probably be allowed, which suggest to me that there's a bug in the SELinux policy for not allowing it.
Comment 3 Kaushik Banerjee 2012-01-27 15:22:34 UTC 
# tail -f /var/log/audit/audit.log | grep -i avc
type=USER_AVC msg=audit(1327677521.478:74): user pid=3871 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc:  received setenforce notice (enforcing=0) : exe="?" (sauid=81, hostname=?, addr=?, terminal=?)'
type=AVC msg=audit(1327677538.277:79): avc:  denied  { write } for  pid=11135 comm="krb5_child" name="coolkey" dev=dm-0 ino=3011777 scontext=root:system_r:sssd_t:s0 tcontext=system_u:object_r:auth_cache_t:s0 tclass=dir
type=AVC msg=audit(1327677538.277:79): avc:  denied  { add_name } for  pid=11135 comm="krb5_child" name=636F6F6C6B6579706B313173452D47617465203020302D3131303031 scontext=root:system_r:sssd_t:s0 tcontext=system_u:object_r:auth_cache_t:s0 tclass=dir
type=AVC msg=audit(1327677538.277:79): avc:  denied  { create } for  pid=11135 comm="krb5_child" name=636F6F6C6B6579706B313173452D47617465203020302D3131303031 scontext=root:system_r:sssd_t:s0 tcontext=root:object_r:auth_cache_t:s0 tclass=file
type=AVC msg=audit(1327677538.278:80): avc:  denied  { read write } for  pid=11135 comm="krb5_child" path=2F7661722F63616368652F636F6F6C6B65792F636F6F6C6B6579706B313173452D47617465203020302D3131303031 dev=dm-0 ino=3012029 scontext=root:system_r:sssd_t:s0 tcontext=root:object_r:auth_cache_t:s0 tclass=file
Comment 4 RHEL Program Management 2012-04-02 11:22:34 UTC 
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.
Comment 9 errata-xmlrpc 2013-01-08 03:31:42 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0060.html