Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 229916 - klogin, ktelnet and gssftp not working with selinux enforcing
Summary: klogin, ktelnet and gssftp not working with selinux enforcing
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 6
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-02-24 09:40 UTC by Tomasz Kepczynski
Modified: 2007-11-30 22:11 UTC (History)
0 users

Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-09-12 17:08:14 UTC


Attachments (Terms of Use)

Description Tomasz Kepczynski 2007-02-24 09:40:23 UTC
Description of problem:
Kerberized telnet, rlogin and ftp are prevented from working
by selinux (setting enforcing to permissive fixes the problem).

Version-Release number of selected component (if applicable):
krb5-workstation-1.5-13.x86_64
selinux-policy-targeted-2.4.6-40.fc6.noarch

How reproducible:
Always

Steps to Reproduce:
Just try kerberized rlogin, telnet or ftp to FC6 box with the above
updates installed.

Actual results:
Cannot login

Expected results:
Can login

Additional info:

auserch -c ftpd (obviously it cannot read keytab)
----
time->Sat Feb 24 10:29:35 2007
type=SYSCALL msg=audit(1172309375.051:143): arch=c000003e syscall=2 success=no
exit=-13 a0=5555557777d0 a1=0 a2=1b6 a3=0 items=0 ppid=3285 pid=5281
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="ftpd" exe="/usr/kerberos/sbin/ftpd"
subj=system_u:system_r:ftpd_t:s0 key=(null)
type=AVC msg=audit(1172309375.051:143): avc:  denied  { read } for  pid=5281
comm="ftpd" name="krb5.keytab" dev=dm-4 ino=361243
scontext=system_u:system_r:ftpd_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0
tclass=file
----
time->Sat Feb 24 10:29:35 2007
type=SYSCALL msg=audit(1172309375.055:144): arch=c000003e syscall=2 success=no
exit=-13 a0=555555775fe0 a1=0 a2=1b6 a3=0 items=0 ppid=3285 pid=5281
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="ftpd" exe="/usr/kerberos/sbin/ftpd"
subj=system_u:system_r:ftpd_t:s0 key=(null)
type=AVC msg=audit(1172309375.055:144): avc:  denied  { read } for  pid=5281
comm="ftpd" name="krb5.keytab" dev=dm-4 ino=361243
scontext=system_u:system_r:ftpd_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0
tclass=file

auserch -c telnetd
----
time->Sat Feb 24 10:28:40 2007
type=AVC_PATH msg=audit(1172309320.963:141):  path="/var/tmp/host_0"
type=SYSCALL msg=audit(1172309320.963:141): arch=c000003e syscall=4 success=no
exit=-13 a0=55555579e460 a1=7fff4f59e0c0 a2=7fff4f59e0c0 a3=0 items=0 ppid=3285
pid=5222 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="telnetd" exe="/usr/kerberos/sbin/telnetd"
subj=system_u:system_r:telnetd_t:s0 key=(null)
type=AVC msg=audit(1172309320.963:141): avc:  denied  { getattr } for  pid=5222
comm="telnetd" name="host_0" dev=dm-4 ino=393628
scontext=system_u:system_r:telnetd_t:s0 tcontext=system_u:object_r:tmp_t:s0
tclass=file
----
time->Sat Feb 24 10:28:40 2007
type=AVC_PATH msg=audit(1172309320.971:142):  path="/var/tmp/host_0"
type=SYSCALL msg=audit(1172309320.971:142): arch=c000003e syscall=4 success=no
exit=-13 a0=55555579e560 a1=7fff4f59e0c0 a2=7fff4f59e0c0 a3=3 items=0 ppid=3285
pid=5222 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="telnetd" exe="/usr/kerberos/sbin/telnetd"
subj=system_u:system_r:telnetd_t:s0 key=(null)
type=AVC msg=audit(1172309320.971:142): avc:  denied  { getattr } for  pid=5222
comm="telnetd" name="host_0" dev=dm-4 ino=393628
scontext=system_u:system_r:telnetd_t:s0 tcontext=system_u:object_r:tmp_t:s0
tclass=file

ausearch -c klogind
----
time->Sat Feb 24 10:27:52 2007
type=AVC_PATH msg=audit(1172309272.545:139):  path="/var/tmp/host_0"
type=SYSCALL msg=audit(1172309272.545:139): arch=c000003e syscall=4 success=no
exit=-13 a0=55555576e4d0 a1=7fff90cf9bc0 a2=7fff90cf9bc0 a3=0 items=0 ppid=3285
pid=5211 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="klogind" exe="/usr/kerberos/sbin/klogind"
subj=system_u:system_r:rlogind_t:s0 key=(null)
type=AVC msg=audit(1172309272.545:139): avc:  denied  { getattr } for  pid=5211
comm="klogind" name="host_0" dev=dm-4 ino=393628
scontext=system_u:system_r:rlogind_t:s0 tcontext=system_u:object_r:tmp_t:s0
tclass=file
----
time->Sat Feb 24 10:27:52 2007
type=AVC_PATH msg=audit(1172309272.589:140):  path="/var/tmp/host_0"
type=SYSCALL msg=audit(1172309272.589:140): arch=c000003e syscall=4 success=no
exit=-13 a0=55555576e4d0 a1=7fffc64a2370 a2=7fffc64a2370 a3=0 items=0 ppid=3285
pid=5212 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="klogind" exe="/usr/kerberos/sbin/klogind"
subj=system_u:system_r:rlogind_t:s0 key=(null)
type=AVC msg=audit(1172309272.589:140): avc:  denied  { getattr } for  pid=5212
comm="klogind" name="host_0" dev=dm-4 ino=393628
scontext=system_u:system_r:rlogind_t:s0 tcontext=system_u:object_r:tmp_t:s0
tclass=file

Comment 1 Daniel Walsh 2007-02-26 15:26:05 UTC
I have added policy to allow these daemons to read the keytab, but why are they
trying to read path="/var/tmp/host_0".  Is this normal behavior or is this local
customization? 

Comment 2 Tomasz Kepczynski 2007-02-27 05:46:06 UTC
I have no idea. Packages are as provided in repositories and
configuration is pretty standard (maybe with the exception
that I use DNS to provide realm and KDC).
Maybe person responsible for these packages can help?

Comment 3 Tomasz Kepczynski 2007-02-27 06:03:55 UTC
From configure:

echo "$as_me:$LINENO: checking for replay cache directory" >&5
echo $ECHO_N "checking for replay cache directory... $ECHO_C" >&6
if test "${krb5_cv_sys_rcdir+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
else

for t_dir in /var/tmp /usr/tmp /var/usr/tmp /tmp ; do
        test -d $t_dir || continue
        krb5_cv_sys_rcdir=$t_dir
        break
done
fi
echo "$as_me:$LINENO: result: $krb5_cv_sys_rcdir" >&5
echo "${ECHO_T}$krb5_cv_sys_rcdir" >&6
KRB5_RCTMPDIR=$krb5_cv_sys_rcdir

It looks that it needs whole directory for something...

Comment 4 Daniel Walsh 2007-03-20 16:17:15 UTC
Fixed in selinux-policy-2.4.6-46

Comment 5 Daniel Walsh 2007-09-12 17:08:14 UTC
Moving modified bugs to closed



Note You need to log in before you can comment on or make changes to this bug.