Bug 951659 - selinux-policy-targeted-3.11.1-87.fc18 blocks winbindd from unlink/write to /var/tmp/host_0
Summary: selinux-policy-targeted-3.11.1-87.fc18 blocks winbindd from unlink/write to /...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 18
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-04-12 17:51 UTC by Jonathan Abbey
Modified: 2013-04-18 02:53 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-04-18 02:53:50 UTC


Attachments (Terms of Use)

Description Jonathan Abbey 2013-04-12 17:51:51 UTC
Description of problem:

Running winbind on Fedora 18.

After updating selinux-policy-targeted, winbind daemons can no longer unlink/write to /var/tmp/host_0 with label 

system_u:object_r:krb5_host_rcache_t:s0

Version-Release number of selected component (if applicable):

selinux-policy-targeted-3.11.1-87.fc18.noarch

How reproducible:

Attempt to ssh to system using winbind PAM module for logins after selinux-policy-targeted is updated to 3.11.1-87.fc18.noarch

Steps to Reproduce:
1. yum update selinux-policy selinux-policy-targeted
2. ssh to system
  
Actual results:

Login fails, messages appear in /var/log/audit.log:
type=AVC msg=audit(1365785661.223:72016): avc:  denied  { write } for  pid=22603 comm="winbindd" name="host_0" dev="dm-1" ino=920593 scontext=system_u:system_r:winbind_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=file
type=AVC msg=audit(1365785661.223:72017): avc:  denied  { unlink } for  pid=22603 comm="winbindd" name="host_0" dev="dm-1" ino=920593 scontext=system_u:system_r:winbind_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=file
type=AVC msg=audit(1365785662.923:72018): avc:  denied  { write } for  pid=22603 comm="winbindd" name="host_0" dev="dm-1" ino=920593 scontext=system_u:system_r:winbind_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=file


Expected results:

Successful login, no AVC deny messages in /var/log/audit.log.

Additional info:

I updated the selinux-policy and selinux-policy-targeted RPMs on two Fedora 18 systems that should be essentially identical in configuration, both using winbind to an Active Directory controller for PAM.

On one of the systems, /var/tmp/host_0 got relabeled (by the selinux-policy-targeted update?) to type krb5_host_rcache_t, whereupon logins started failing.

On the other system, /var/tmp/host_0 kept the type label 'user_tmp_t', and logins kept working.

I fixed the problem on the broken system by doing 'chcon -t user_tmp_t /var/tmp/host_0', but running 'restorecon -v -n /var/tmp/host_0' on each system shows that both systems think that 'krb5_host_rcache_t' is the proper type label for the file.

I haven't tried relabeling and rebooting either system, so I don't know if this problem would resolve with the new policy after a reboot, but I tried doing a 'systemctl restart winbind' several times on the affected system, and logins did not resume functioning until I manually relabeled /var/tmp/host_0 to user_tmp_t.

Running sealert on the error recorded in /var/log/messages gave the following:

SELinux is preventing /usr/sbin/winbindd (deleted) from write access on the file host_0.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that winbindd (deleted) should be allowed write access on the host_0 file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep winbindd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:winbind_t:s0
Target Context                system_u:object_r:krb5_host_rcache_t:s0
Target Objects                host_0 [ file ]
Source                        winbindd
Source Path                   /usr/sbin/winbindd (deleted)
Port                          <Unknown>
Host                          xportal2.arlut.utexas.edu
Source RPM Packages           samba-winbind-4.0.4-3.fc18.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.11.1-87.fc18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     xportal2.arlut.utexas.edu
Platform                      Linux xportal2.arlut.utexas.edu
                              3.8.3-203.fc18.x86_64 #1 SMP Mon Mar 18 12:59:28
                              UTC 2013 x86_64 x86_64
Alert Count                   79
First Seen                    2013-04-12 10:13:41 CDT
Last Seen                     2013-04-12 11:54:37 CDT
Local ID                      5271b3fd-bec9-46ac-a988-a6a894e42719

Raw Audit Messages
type=AVC msg=audit(1365785677.314:72031): avc:  denied  { write } for  pid=25014 comm="winbindd" name="host_0" dev="dm-1" ino=920593 scontext=system_u:system_r:winbind_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=file


type=SYSCALL msg=audit(1365785677.314:72031): arch=x86_64 syscall=open success=no exit=EACCES a0=23de060 a1=2 a2=180 a3=10 items=0 ppid=25013 pid=25014 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=winbindd exe=/usr/sbin/winbindd subj=system_u:system_r:winbind_t:s0 key=(null)

Hash: winbindd,winbind_t,krb5_host_rcache_t,file,write

audit2allow

#============= winbind_t ==============
allow winbind_t krb5_host_rcache_t:file write;

audit2allow -R
require {
        type winbind_t;
}

#============= winbind_t ==============
kerberos_filetrans_named_content(winbind_t)

Comment 1 Daniel Walsh 2013-04-12 18:35:09 UTC
524e73638aee5f5e8e29d126bc4b2d99d190cc3f fixes this in Git.

Comment 2 Jonathan Abbey 2013-04-12 19:08:24 UTC
Thanks. I should say that the system that stayed working may have had its /var/tmp/host_0 file labelled differently before I did the updates.. I don't know for sure that the updates relabeled that file on the system that broke.

Comment 3 Daniel Walsh 2013-04-12 19:10:06 UTC
I am surprised we did not already allow this.

Comment 4 Jonathan Abbey 2013-04-12 19:13:09 UTC
Yeah. I checked the srpm for this selinux-policy build, but I didn't see anything in the changelog that mentioned this changing recently, and I didn't know where I could find revision control for it to look for myself.

Comment 5 Daniel Walsh 2013-04-12 19:28:35 UTC
Well it is more about correcting the labelling and it looks like you were lucky enough to not have /var/tmp relabeled.

Comment 6 Jonathan Abbey 2013-04-12 20:01:12 UTC
So /var/tmp/host_0 is meant to retain the user_tmp_t labeling?  I was thinking winbind_t was just lacking the appropriate permission to unlink/write krb5_host_rcache_t..

Comment 7 Daniel Walsh 2013-04-12 20:33:28 UTC
No winbind_t was just lacking the appropriate permission to unlink/write krb5_host_rcache_t..  Which is now fixed in git, and hopefully Miroslav will be sending out the fix in the next update.
It should be labeled as kerberos content.

Comment 8 Fedora Update System 2013-04-15 11:12:58 UTC
selinux-policy-3.11.1-90.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-90.fc18

Comment 9 Fedora Update System 2013-04-16 00:08:30 UTC
Package selinux-policy-3.11.1-90.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-90.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-5742/selinux-policy-3.11.1-90.fc18
then log in and leave karma (feedback).

Comment 10 Fedora Update System 2013-04-18 02:53:52 UTC
selinux-policy-3.11.1-90.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.