Bug 799322 - SELinux prevents the krb5_child process from reading ~/.k5login
Summary: SELinux prevents the krb5_child process from reading ~/.k5login
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-03-02 13:46 UTC by Jakub Hrozek
Modified: 2012-03-02 15:02 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-03-02 15:02:19 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Jakub Hrozek 2012-03-02 13:46:20 UTC 
Description of problem:
The krb5_child process attempts to read ~/.k5login but is denied by SELinux.


Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.7.19-137.el6.noarch
sssd-1.8.0-4.el6.beta3.x86_64

How reproducible:
log into a RHEL6.3 system with SSSD

Steps to Reproduce:
1. log into a RHEL6.3 system with SSSD

Actual results:
AVC denial

Expected results:
no AVC denial

Additional info:
It seems that sssd_t is allowed to read home_root_t but not user_home_t:
# sesearch -s sssd_t -t home_root_t -c dir -p search --allow
Found 1 semantic av rules:
   allow sssd_t home_root_t : dir { getattr search open } ; 
# sesearch -s sssd_t -t user_home_t -c dir -p search --allow
# (blank)

SELinux contexts:
# ls -ldZ /home/ /home/remote/ /home/remote/jhrozek/
drwxr-xr-x. root    root    system_u:object_r:home_root_t:s0 /home/
drwxr-xr-x. root    root   unconfined_u:object_r:user_home_dir_t:s0 /home/remote/
drwxr-xr-x. jhrozek jhrozek unconfined_u:object_r:user_home_t:s0 /home/remote/jhrozek/

audit2why output:
type=AVC msg=audit(1330694985.161:52): avc:  denied  { search } for  pid=3028 comm="krb5_child" name="jhrozek" dev=sda3 ino=8913100 scontext=system_u:system_r:sssd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1330694985.162:53): avc:  denied  { open } for  pid=3028 comm="krb5_child" name=".k5login" dev=sda3 ino=8913360 scontext=system_u:system_r:sssd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1330694985.162:53): avc:  denied  { read } for  pid=3028 comm="krb5_child" name=".k5login" dev=sda3 ino=8913360 scontext=system_u:system_r:sssd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.
Comment 2 Miroslav Grepl 2012-03-02 14:43:55 UTC 
The problem is the /home/remote/jhrozek/ directory has bad label and then .k5login is also mislabeled.

$ semanage fcontext -a -e /home /home/remote
$ restorecon -R -v /home/remote

is needed.
Comment 3 Jakub Hrozek 2012-03-02 15:02:19 UTC 
Ah, that fixed it. Thank you!
Note You need to log in before you can comment on or make changes to this bug.