Bug 929103 - GDM login with Kerberos account and NFS4 home directory won't work until console login has been made due to SELinux policy
Summary: GDM login with Kerberos account and NFS4 home directory won't work until cons...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 18
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-03-29 09:21 UTC by Carl-Johan Schenström
Modified: 2013-04-18 02:50 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-04-18 02:50:29 UTC


Attachments (Terms of Use)

Description Carl-Johan Schenström 2013-03-29 09:21:22 UTC
Description of problem:

Fedora 18 client authenticating against Samba 4 KDC, via SSSD, and automounting home directories over NFS4 with sec=krb5. After booting the client, GDM logins are rejected due to SELinux policy. Switching to text console and logging in resolves the problem.

Version-Release number of selected component (if applicable):

nfs-utils-1.2.7-3.fc18.x86_64
sssd-1.9.4-5.fc18.x86_64
selinux-policy-3.11.1-86.fc18.noarch
selinux-policy-targeted-3.11.1-86.fc18.noarch

How reproducible:

Always?

Steps to Reproduce:
1. Install and configure Kerberos client.
2. Reboot.
3. Try to login.
  
Actual results:

Not allowed to login.

Expected results:

My desktop.

Additional info:

/var/log/messages:

[root@portello log]# grep SELinux messages | tail -n 1
Mar 29 09:15:21 portello setroubleshoot: SELinux is preventing /usr/sbin/rpc.gssd from write access on the directory krb5cc_497cd97092d5c83008b5396a51554d91. For complete SELinux messages. run sealert -l 6f4f209e-12b0-4db2-9a97-9ecb52f9f088

[root@portello log]# sealert -l 6f4f209e-12b0-4db2-9a97-9ecb52f9f088
SELinux is preventing /usr/sbin/rpc.gssd from write access on the directory krb5cc_497cd97092d5c83008b5396a51554d91.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that rpc.gssd should be allowed write access on the krb5cc_497cd97092d5c83008b5396a51554d91 directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep rpc.gssd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:gssd_t:s0
Target Context                system_u:object_r:user_tmp_t:s0
Target Objects                krb5cc_497cd97092d5c83008b5396a51554d91 [ dir ]
Source                        rpc.gssd
Source Path                   /usr/sbin/rpc.gssd
Port                          <Unknown>
Host                          portello.bluebox.pp.se
Source RPM Packages           nfs-utils-1.2.7-3.fc18.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.11.1-86.fc18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     portello.bluebox.pp.se
Platform                      Linux portello.bluebox.pp.se 3.8.4-202.fc18.x86_64
                              #1 SMP Thu Mar 21 17:02:20 UTC 2013 x86_64 x86_64
Alert Count                   14
First Seen                    2013-03-27 16:34:55 CET
Last Seen                     2013-03-29 09:15:19 CET
Local ID                      6f4f209e-12b0-4db2-9a97-9ecb52f9f088

Raw Audit Messages
type=AVC msg=audit(1364544919.917:336): avc:  denied  { write } for  pid=605 comm="rpc.gssd" name="krb5cc_497cd97092d5c83008b5396a51554d91" dev="tmpfs" ino=23576 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=dir


type=SYSCALL msg=audit(1364544919.917:336): arch=x86_64 syscall=open success=no exit=EACCES a0=7f5977c3e890 a1=c2 a2=180 a3=6093b4fd6 items=0 ppid=1 pid=605 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=rpc.gssd exe=/usr/sbin/rpc.gssd subj=system_u:system_r:gssd_t:s0 key=(null)

Hash: rpc.gssd,gssd_t,user_tmp_t,dir,write

audit2allow

#============= gssd_t ==============
allow gssd_t user_tmp_t:dir write;

audit2allow -R
require {
	type gssd_t;
}

#============= gssd_t ==============
userdom_manage_user_tmp_dirs(gssd_t)

[root@portello log]# sesearch --allow -s gssd_t -c dir -p write
Found 6 semantic av rules:
   allow gssd_t var_lib_nfs_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ; 
   allow gssd_t krb5_host_rcache_t : dir { ioctl read write getattr lock add_name remove_name search open } ; 
   allow gssd_t gssd_tmp_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ; 
   allow gssd_t tmp_t : dir { ioctl read write getattr lock add_name remove_name search open } ; 
   allow gssd_t auth_cache_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ; 
   allow daemon root_t : dir { ioctl read write getattr lock add_name remove_name search open } ;

Comment 1 Steve Dickson 2013-04-01 14:05:55 UTC
reassigning to selinux-policy

Comment 2 Daniel Walsh 2013-04-01 14:24:11 UTC
9f4ec9f473e7dced9a702add780fa2bfa51bf84d fixes this in git.

Comment 3 Miroslav Grepl 2013-04-02 10:37:39 UTC
Back ported.

Comment 4 Fedora Update System 2013-04-15 11:10:58 UTC
selinux-policy-3.11.1-90.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-90.fc18

Comment 5 Fedora Update System 2013-04-16 00:06:26 UTC
Package selinux-policy-3.11.1-90.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-90.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-5742/selinux-policy-3.11.1-90.fc18
then log in and leave karma (feedback).

Comment 6 Fedora Update System 2013-04-18 02:50:31 UTC
selinux-policy-3.11.1-90.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.