Bug 828934 - applications using PAM need to be able to create user_tmp_t files
Summary: applications using PAM need to be able to create user_tmp_t files
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-06-05 15:13 UTC by Nalin Dahyabhai
Modified: 2012-06-22 10:16 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-06-22 10:16:06 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Nalin Dahyabhai 2012-06-05 15:13:39 UTC 
Description of problem:
https://fedoraproject.org/wiki/Features/KRB5DirCache is going to require pam_krb5 to start creating its credential caches in user_tmp_t locations (usually /run/user/$USER) rather than the current default of tmp_t (/tmp).

Version-Release number of selected component (if applicable):
selinux-policy-3.10.0-128
pam_krb5-2.3.14-1.fc18

How reproducible:
Always

Steps to Reproduce:
1. Update to Raw Hide pam_krb5, or set "ccname_template = FILE:/run/user/%u/krb5cc_XXXXXX" in the "pam" subsection of the [appdefaults] section in /etc/krb5.conf.
2. Try to log in via console login or gdm.

Actual results:
If login succeeds, $KRB5CCNAME will be set wrong, and you'll see these denials in your log:

time->Tue Jun  5 10:32:02 2012
type=PATH msg=audit(1338906722.165:1886): item=1 name="/run/user/nalin/krb5cc_4DEcq3" inode=421181 dev=00:10 mode=0100600 ouid=2510 ogid=2516 rdev=00:00 obj=system_u:object_r:user_tmp_t:s0-s0:c0.c1023
type=PATH msg=audit(1338906722.165:1886): item=0 name="/run/user/nalin/" inode=24368 dev=00:10 mode=040700 ouid=2510 ogid=2516 rdev=00:00 obj=system_u:object_r:user_tmp_t:s0
type=CWD msg=audit(1338906722.165:1886):  cwd="/"
type=SYSCALL msg=audit(1338906722.165:1886): arch=c000003e syscall=2 success=yes exit=4 a0=1795270 a1=2c2 a2=180 a3=6165726373662f72 items=2 ppid=9700 pid=9701 auid=4294967295 uid=2510 gid=2516 euid=2510 suid=2510 fsuid=2510 egid=2516 sgid=2516 fsgid=2516 tty=tty4 ses=4294967295 comm="login" exe="/usr/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1338906722.165:1886): avc:  denied  { create } for  pid=9701 comm="login" name="krb5cc_4DEcq3" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_tmp_t:s0-s0:c0.c1023 tclass=file

time->Tue Jun  5 10:49:17 2012
type=PATH msg=audit(1338907757.230:586): item=0 name="/run/user/nalin/krb5cc_4C9aVb" inode=27491 dev=00:10 mode=040700 ouid=2510 ogid=2516 rdev=00:00 obj=system_u:object_r:user_tmp_t:s0
type=CWD msg=audit(1338907757.230:586):  cwd="/var/gdm"
type=SYSCALL msg=audit(1338907757.230:586): arch=c000003e syscall=2 success=no exit=-13 a0=15923a0 a1=2c2 a2=180 a3=6165726373662f72 items=1 ppid=1507 pid=1867 auid=2510 uid=0 gid=2516 euid=0 suid=0 fsuid=0 egid=2516 sgid=2516 fsgid=2516 tty=(none) ses=2 comm="gdm-session-wor" exe="/usr/libexec/gdm-session-worker" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1338907757.230:586): avc:  denied  { create } for  pid=1867 comm="gdm-session-wor" name="krb5cc_4C9aVb" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_tmp_t:s0-s0:c0.c1023 tclass=file



Expected results:
Login succeeds, $KRB5CCNAME points to a "FILE" or "DIR"-type ccache under $XDG_RUNTIME_DIR, and running "klist" shows that your credentials are correctly stored there.

Additional info:
The "allow_kerberos" boolean is enabled.
Comment 1 Miroslav Grepl 2012-06-22 10:16:06 UTC 
Should be fixed in the latest policy.
Note You need to log in before you can comment on or make changes to this bug.