Bug 801163 - SELinux prevents chsh from working with Kerberos auth
Summary: SELinux prevents chsh from working with Kerberos auth
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.2
Hardware: All
OS: Linux
high
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Zbysek MRAZ
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-03-07 19:50 UTC by Ben Webb
Modified: 2013-07-03 13:15 UTC (History)
5 users (show)

Fixed In Version: selinux-policy-3.7.19-151.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-06-20 12:31:57 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2012:0780 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2012-06-19 20:34:59 UTC

Description Ben Webb 2012-03-07 19:50:29 UTC 
Description of problem:
'chsh' does not work on our servers that authenticate with Kerberos; SELinux prevents it from accessing certain files and directories. (If SELinux is set to permissive mode, chsh works correctly.)

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.7.19-126.el6_2.9.noarch
util-linux-ng-2.17.2-12.4.el6.x86_64

How reproducible:
Always.

Steps to Reproduce:
1. On a system using Kerberos authentication, attempt to change the shell:
$ chsh -s /bin/tcsh

Actual results:
Even if the correct password is entered at the prompt, chsh replies with:
Authentication failure

The following avcs are also seen in the log:
Mar  7 11:45:53 server kernel: type=1400 audit(1331149553.094:35): avc:  denied  { read write } for  pid=19772 comm="chsh" name="host_0" dev=cciss!c0d0p1 ino=139884 scontext=unconfined_u:unconfined_r:chfn_t:s0-s0:c0.c1023 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=file
Mar  7 11:45:53 server kernel: type=1400 audit(1331149553.181:36): avc:  denied  { write } for  pid=19772 comm="chsh" name="tmp" dev=cciss!c0d0p1 ino=128030 scontext=unconfined_u:unconfined_r:chfn_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=dir


Expected results:
Shell successfully changed.

Additional info:
If we put SELinux into permissive mode, chsh succeeds, albeit with a lot more avcs. audit2allow generates the following policy rules from those avcs:

allow chfn_t krb5_host_rcache_t:file { rename write read create unlink open };
allow chfn_t tmp_t:dir { write remove_name add_name };
Comment 2 Daniel Walsh 2012-03-07 20:05:40 UTC 
Why would chfn be creating a host_0 file?
Comment 3 Daniel Walsh 2012-03-07 20:11:00 UTC 
Well it looks like we have this in Fedora.

Might want to start back porting the auth_use_pam interface.
Comment 4 Nalin Dahyabhai 2012-03-07 20:16:35 UTC 
(In reply to comment #2)
> Why would chfn be creating a host_0 file?

It uses PAM, and it's running with sufficient privileges that when pam_krb5 calls the verify-creds APIs, it can read the system keytab and attempt to use it to verify the initial credentials, which currently involves creating/using the replay cache.
Comment 6 Miroslav Grepl 2012-03-14 14:40:48 UTC 
We are missing 

auth_use_pam(chfn_t)
Comment 15 Miroslav Grepl 2012-05-15 08:41:47 UTC 
Fixed in selinux-policy-3.7.19-151.el6
Comment 19 errata-xmlrpc 2012-06-20 12:31:57 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0780.html
Note You need to log in before you can comment on or make changes to this bug.