Description of problem: Probably due to (recent?) changes in pam_krb5 in F17 (only?), /tmp/krb5cc_$UID_$RANDOM (i.e. $KRB5CCNAME) does now have a context of local_login_tmp_t instead of user_tmp_t. That seems to work for unconfined_t users, but not for user_t/staff_t users. Version-Release number of selected component (if applicable): selinux-policy-3.10.0-125.fc17 pam_krb5-2.3.14-1.fc17 (from updates-testing) How reproducible: Always Steps to Reproduce: 1. Set up your system as a Kerberos client 2. Log in as a user that is set up to run with user_t or staff_t 3. try to run `klist` or `ls $KRB5CCNAME` or `cat $KRB5CCNAME` Actual results: Access Denied due to SELinux. Expected results: Ticket can be accessed. Additional info: Not sure, whether this should be fixed in selinux-policy or pam_krb5. The pam_krb5 maintainer commented on the context change in the most recent ticket: https://bugzilla.redhat.com/show_bug.cgi?id=822493#c7
Forgot to post the denials I get here. Once as staff_t, once as user_t. Both times: log in (CIFS home with krb5 auth), klist, ls $KRB5CCNAME, cat $KRB5CCNAME, log out. type=AVC msg=audit(1338362194.263:176): avc: denied { unlink } for pid=1628 comm="pam_krb5_storet" name="krb5cc_17560_JXd8QO" dev="sda1" ino=16646247 scontext=staff_u:staff_r:staff_t:s0 tcontext=system_u:object_r:local_login_tmp_t:s0 tclass=file type=AVC msg=audit(1338362195.793:180): avc: denied { read } for pid=1758 comm="klist" name="krb5cc_17560_p2ujF0" dev="sda1" ino=16646246 scontext=staff_u:staff_r:staff_t:s0 tcontext=system_u:object_r:local_login_tmp_t:s0 tclass=file type=AVC msg=audit(1338362204.784:181): avc: denied { read } for pid=1788 comm="cat" name="krb5cc_17560_p2ujF0" dev="sda1" ino=16646246 scontext=staff_u:staff_r:staff_t:s0 tcontext=system_u:object_r:local_login_tmp_t:s0 tclass=file type=AVC msg=audit(1338362209.110:182): avc: denied { unlink } for pid=1803 comm="pam_krb5_storet" name="krb5cc_17560_p2ujF0" dev="sda1" ino=16646246 scontext=staff_u:staff_r:staff_t:s0 tcontext=system_u:object_r:local_login_tmp_t:s0 tclass=file type=AVC msg=audit(1338362270.195:198): avc: denied { unlink } for pid=1839 comm="pam_krb5_storet" name="krb5cc_15889_9H4yga" dev="sda1" ino=16646247 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:local_login_tmp_t:s0 tclass=file type=AVC msg=audit(1338362278.831:202): avc: denied { read } for pid=1969 comm="klist" name="krb5cc_15889_4ZqjBk" dev="sda1" ino=16646246 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:local_login_tmp_t:s0 tclass=file type=AVC msg=audit(1338362292.269:208): avc: denied { read } for pid=2011 comm="cat" name="krb5cc_15889_4ZqjBk" dev="sda1" ino=16646246 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:local_login_tmp_t:s0 tclass=file type=AVC msg=audit(1338362293.712:210): avc: denied { unlink } for pid=2028 comm="pam_krb5_storet" name="krb5cc_15889_4ZqjBk" dev="sda1" ino=16646246 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:local_login_tmp_t:s0 tclass=file
Fixed in selinux-policy-3.10.0-128.el7
Dan, that's nice, but I'd prefer a patch for F17 against which this bug is actually filed.
The same. :^) Fixed in selinux-policy-3.10.0-128.f17. We are currently sharing the same policy in F17, RHEL7, and F18...
selinux-policy-3.10.0-128.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-128.fc17
Package selinux-policy-3.10.0-128.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-128.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-8720/selinux-policy-3.10.0-128.fc17 then log in and leave karma (feedback).
selinux-policy-3.10.0-128.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.