Bug 826444 - krb5 tickets not accessible for user_t/staff_t
krb5 tickets not accessible for user_t/staff_t
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
17
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-05-30 04:19 EDT by Sandro Mathys
Modified: 2012-06-03 19:32 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-06-03 19:32:30 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Sandro Mathys 2012-05-30 04:19:43 EDT
Description of problem:
Probably due to (recent?) changes in pam_krb5 in F17 (only?), /tmp/krb5cc_$UID_$RANDOM (i.e. $KRB5CCNAME) does now have a context of local_login_tmp_t instead of user_tmp_t. That seems to work for unconfined_t users, but not for user_t/staff_t users.

Version-Release number of selected component (if applicable):
selinux-policy-3.10.0-125.fc17
pam_krb5-2.3.14-1.fc17 (from updates-testing)

How reproducible:
Always

Steps to Reproduce:
1. Set up your system as a Kerberos client
2. Log in as a user that is set up to run with user_t or staff_t
3. try to run `klist` or `ls $KRB5CCNAME` or `cat $KRB5CCNAME`
  
Actual results:
Access Denied due to SELinux.

Expected results:
Ticket can be accessed.

Additional info:
Not sure, whether this should be fixed in selinux-policy or pam_krb5. The pam_krb5 maintainer commented on the context change in the most recent ticket:
https://bugzilla.redhat.com/show_bug.cgi?id=822493#c7
Comment 1 Sandro Mathys 2012-05-30 05:07:19 EDT
Forgot to post the denials I get here. Once as staff_t, once as user_t. Both times: log in (CIFS home with krb5 auth), klist, ls $KRB5CCNAME, cat $KRB5CCNAME, log out.

type=AVC msg=audit(1338362194.263:176): avc:  denied  { unlink } for  pid=1628 comm="pam_krb5_storet" name="krb5cc_17560_JXd8QO" dev="sda1" ino=16646247 scontext=staff_u:staff_r:staff_t:s0 tcontext=system_u:object_r:local_login_tmp_t:s0 tclass=file
type=AVC msg=audit(1338362195.793:180): avc:  denied  { read } for  pid=1758 comm="klist" name="krb5cc_17560_p2ujF0" dev="sda1" ino=16646246 scontext=staff_u:staff_r:staff_t:s0 tcontext=system_u:object_r:local_login_tmp_t:s0 tclass=file
type=AVC msg=audit(1338362204.784:181): avc:  denied  { read } for  pid=1788 comm="cat" name="krb5cc_17560_p2ujF0" dev="sda1" ino=16646246 scontext=staff_u:staff_r:staff_t:s0 tcontext=system_u:object_r:local_login_tmp_t:s0 tclass=file
type=AVC msg=audit(1338362209.110:182): avc:  denied  { unlink } for  pid=1803 comm="pam_krb5_storet" name="krb5cc_17560_p2ujF0" dev="sda1" ino=16646246 scontext=staff_u:staff_r:staff_t:s0 tcontext=system_u:object_r:local_login_tmp_t:s0 tclass=file


type=AVC msg=audit(1338362270.195:198): avc:  denied  { unlink } for  pid=1839 comm="pam_krb5_storet" name="krb5cc_15889_9H4yga" dev="sda1" ino=16646247 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:local_login_tmp_t:s0 tclass=file
type=AVC msg=audit(1338362278.831:202): avc:  denied  { read } for  pid=1969 comm="klist" name="krb5cc_15889_4ZqjBk" dev="sda1" ino=16646246 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:local_login_tmp_t:s0 tclass=file
type=AVC msg=audit(1338362292.269:208): avc:  denied  { read } for  pid=2011 comm="cat" name="krb5cc_15889_4ZqjBk" dev="sda1" ino=16646246 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:local_login_tmp_t:s0 tclass=file
type=AVC msg=audit(1338362293.712:210): avc:  denied  { unlink } for  pid=2028 comm="pam_krb5_storet" name="krb5cc_15889_4ZqjBk" dev="sda1" ino=16646246 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:local_login_tmp_t:s0 tclass=file
Comment 2 Daniel Walsh 2012-05-30 09:23:01 EDT
Fixed in selinux-policy-3.10.0-128.el7
Comment 3 Sandro Mathys 2012-05-30 09:38:47 EDT
Dan, that's nice, but I'd prefer a patch for F17 against which this bug is actually filed.
Comment 4 Daniel Walsh 2012-05-30 14:36:11 EDT
The same.  :^)
Fixed in selinux-policy-3.10.0-128.f17.

We are currently sharing the same policy in F17, RHEL7, and F18...
Comment 5 Fedora Update System 2012-05-31 02:28:06 EDT
selinux-policy-3.10.0-128.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-128.fc17
Comment 6 Fedora Update System 2012-06-01 13:10:02 EDT
Package selinux-policy-3.10.0-128.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-128.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-8720/selinux-policy-3.10.0-128.fc17
then log in and leave karma (feedback).
Comment 7 Fedora Update System 2012-06-03 19:32:30 EDT
selinux-policy-3.10.0-128.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.