Bug 856880 - policy needs to allow pam_krb5 to create /run/user/$UID from inside of a login process
policy needs to allow pam_krb5 to create /run/user/$UID from inside of a logi...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
18
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
Depends On:
Blocks: 833026
  Show dependency treegraph
 
Reported: 2012-09-12 23:11 EDT by Nalin Dahyabhai
Modified: 2012-12-20 10:41 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-12-20 10:41:36 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Nalin Dahyabhai 2012-09-12 23:11:38 EDT
In order to satisfy http://fedoraproject.org/wiki/Features/KRB5CacheMove, as noted in bug #833026, I had to teach pam_krb5 to create /run/user/$UID, when needed, before pam_systemd is called and can tell systemd to do it.  Currently, the additional permissions needed appear to be:

time->Wed Sep 12 21:45:38 2012
type=SYSCALL msg=audit(1347500738.908:120): arch=c000003e syscall=83 success=no exit=-13 a0=7fff5f6f16e0 a1=1c0 a2=9d4 a3=65726373662f7274 items=0 ppid=1 pid=15374 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty2 ses=4294967295 comm="login" exe="/usr/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1347500738.908:120): avc:  denied  { create } for  pid=15374 comm="login" name="2510" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_tmp_t:s0 tclass=dir
----
time->Wed Sep 12 21:59:25 2012
type=SYSCALL msg=audit(1347501565.625:134): arch=c000003e syscall=92 success=no exit=-13 a0=7fff009f5640 a1=9ce a2=9d4 a3=65726373662f7274 items=0 ppid=1 pid=15389 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty2 ses=4294967295 comm="login" exe="/usr/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1347501565.625:134): avc:  denied  { setattr } for  pid=15389 comm="login" name="2510" dev="tmpfs" ino=35715 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_tmp_t:s0 tclass=dir

Apparently these are enabled by the polyinstantiation_enabled boolean, but it looks like we're going to need them even when it isn't enabled.
Comment 1 Nalin Dahyabhai 2012-09-12 23:12:42 EDT
Please note that this is login, but I expect that similar access will need to be granted to the various graphical desktop managers, sshd, and such.
Comment 2 Miroslav Grepl 2012-09-14 03:12:45 EDT
Yes, basically we allow manage user tmp files without the boolean. So I added the following fix

--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -206,6 +206,7 @@ interface(`auth_login_pgm_domain',`
        userdom_delete_user_tmp_files($1)
        userdom_search_admin_dir($1)
        userdom_stream_connect($1)
+       userdom_manage_user_tmp_dirs($1)
        userdom_manage_user_tmp_files($1)


The change will affect the following domains

# seinfo -xapolydomain
   polydomain
      xdm_t
      local_login_t
      rshd_t
      sshd_t
      remote_login_t
      rlogind_t
Comment 3 Fedora Update System 2012-09-17 09:01:18 EDT
selinux-policy-3.11.1-21.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-21.fc18
Comment 4 Fedora Update System 2012-09-17 16:38:27 EDT
Package selinux-policy-3.11.1-21.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-21.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-14225/selinux-policy-3.11.1-21.fc18
then log in and leave karma (feedback).
Comment 5 Fedora Update System 2012-09-26 00:51:52 EDT
selinux-policy-3.11.1-25.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-25.fc18
Comment 6 Fedora Update System 2012-12-20 10:41:44 EST
selinux-policy-3.11.1-21.fc18 has been pushed to the Fedora 18 obsolete repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.