Bug 785076 - SELinux is preventing krb5_child (sssd_t) "write" to ./coolkey (auth_cache_t)
Summary: SELinux is preventing krb5_child (sssd_t) "write" to ./coolkey (auth_cache_t)
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy
Version: 5.8
Hardware: All
OS: Linux
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
Depends On:
TreeView+ depends on / blocked
Reported: 2012-01-27 07:30 UTC by Kaushik Banerjee
Modified: 2013-01-08 03:31 UTC (History)
4 users (show)

Fixed In Version: selinux-policy-2.4.6-328.el5
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2013-01-08 03:31:42 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2013:0060 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2013-01-08 08:27:19 UTC

Description Kaushik Banerjee 2012-01-27 07:30:12 UTC
Description of problem:
SELinux is preventing krb5_child (sssd_t) "write" to ./coolkey (auth_cache_t)

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Configure sssd to perform auth against AD with the following config:
cache_credentials = True
ldap_schema = rfc2307bis
ldap_group_object_class = group
ldap_id_use_start_tls = True
debug_level = 9
ldap_force_upper_case_realm = True
ldap_user_principal = userPrincipalName
ldap_user_object_class = person
ldap_tls_cacert = /etc/openldap/cacerts/AD_cert.pem
ldap_search_base = dc=sssdad,dc=com
id_provider = ldap
ldap_default_bind_dn = cn=Administrator,cn=Users,dc=sssdad,dc=com
ldap_uri = _srv_
ldap_user_home_directory = unixHomeDirectory
ldap_default_authtok = XXXXXX
dns_discovery_domain = sssdad.com
auth_provider = krb5
krb5_realm = SSSDAD.COM
krb5_server = _srv_
ldap_group_nesting_level = 10

Actual results:
Auth works fine, but following avc appears.

Detailed Description:

SELinux denied access requested by krb5_child. It is not expected that this
access is required by krb5_child and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration
of the
application is causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to
the default system file context for ./coolkey,

restorecon -v './coolkey'

If this does not work, there is currently no automatic way to allow this
Instead, you can generate a local policy module to allow this access -
see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
SELinux protection altogether. Disabling SELinux protection is not
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                root:system_r:sssd_t
Target Context                system_u:object_r:auth_cache_t
Target Objects                ./coolkey [ dir ]
Source                        krb5_child
Source Path                   /usr/libexec/sssd/krb5_child
Port                          <Unknown>
Host                          dhcp201-204.englab.pnq.redhat.com
Source RPM Packages           sssd-1.5.1-49.el5
Target RPM Packages          
Policy RPM                    selinux-policy-2.4.6-326.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     dhcp201-204.englab.pnq.redhat.com
Platform                      Linux dhcp201-204.englab.pnq.redhat.com
                              2.6.18-305.el5 #1 SMP Mon Jan 16 17:42:10
EST 2012
                              x86_64 x86_64
Alert Count                   16
First Seen                    Mon Jan  9 14:14:24 2012
Last Seen                     Wed Jan 25 15:24:39 2012
Local ID                      19103597-87d5-40c4-bd61-7725d3345e8f
Line Numbers                 

Raw Audit Messages           

host=dhcp201-204.englab.pnq.redhat.com type=AVC
msg=audit(1327485279.113:727): avc:  denied  { write } for  pid=15909
comm="krb5_child" name="coolkey" dev=dm-0 ino=964329
tcontext=system_u:object_r:auth_cache_t:s0 tclass=dir

host=dhcp201-204.englab.pnq.redhat.com type=SYSCALL
msg=audit(1327485279.113:727): arch=c000003e syscall=2 success=no
exit=-13 a0=4051a60 a1=4c2 a2=180 a3=0 items=0 ppid=15853 pid=15909
auid=0 uid=11001 gid=11001 euid=11001 suid=11001 fsuid=11001 egid=11001
sgid=11001 fsgid=11001 tty=(none) ses=77 comm="krb5_child"
exe="/usr/libexec/sssd/krb5_child" subj=root:system_r:sssd_t:s0 key=(null)

Expected results:

Additional info:

Comment 1 Kaushik Banerjee 2012-01-27 07:33:00 UTC
Comment from Nalin in the email thread regarding this issue:

The Kerberos library can load the pkinit module, which on RHEL 5 uses NSS, which can be configured to use the coolkey module.  Expect this to happen if a KDC which the client (on RHEL 5 or 6) contacts advertises that it supports PKINIT.

This should probably be allowed, which suggest to me that there's a bug in the SELinux policy for not allowing it.

Comment 3 Kaushik Banerjee 2012-01-27 15:22:34 UTC
# tail -f /var/log/audit/audit.log | grep -i avc
type=USER_AVC msg=audit(1327677521.478:74): user pid=3871 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc:  received setenforce notice (enforcing=0) : exe="?" (sauid=81, hostname=?, addr=?, terminal=?)'
type=AVC msg=audit(1327677538.277:79): avc:  denied  { write } for  pid=11135 comm="krb5_child" name="coolkey" dev=dm-0 ino=3011777 scontext=root:system_r:sssd_t:s0 tcontext=system_u:object_r:auth_cache_t:s0 tclass=dir
type=AVC msg=audit(1327677538.277:79): avc:  denied  { add_name } for  pid=11135 comm="krb5_child" name=636F6F6C6B6579706B313173452D47617465203020302D3131303031 scontext=root:system_r:sssd_t:s0 tcontext=system_u:object_r:auth_cache_t:s0 tclass=dir
type=AVC msg=audit(1327677538.277:79): avc:  denied  { create } for  pid=11135 comm="krb5_child" name=636F6F6C6B6579706B313173452D47617465203020302D3131303031 scontext=root:system_r:sssd_t:s0 tcontext=root:object_r:auth_cache_t:s0 tclass=file
type=AVC msg=audit(1327677538.278:80): avc:  denied  { read write } for  pid=11135 comm="krb5_child" path=2F7661722F63616368652F636F6F6C6B65792F636F6F6C6B6579706B313173452D47617465203020302D3131303031 dev=dm-0 ino=3012029 scontext=root:system_r:sssd_t:s0 tcontext=root:object_r:auth_cache_t:s0 tclass=file

Comment 4 RHEL Product and Program Management 2012-04-02 11:22:34 UTC
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.

Comment 9 errata-xmlrpc 2013-01-08 03:31:42 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.