Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-119660

Kerberos5 files ".{k5login,k5users,k5identity}" are not getting proper label for "mysql" user

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • rhel-9.6, rhel-10.0
    • mysql-selinux
    • None
    • No
    • Low
    • Customer Facing, Customer Reported
    • 1
    • rhel-databases
    • 0
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • _DB-Refined_
    • None
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      What were you trying to do that didn't work?

      As per policy <HOMEDIR>/.k5login and similar files have to get label krb5_home_t:

      # semanage fcontext -l | grep k5login
/home/[^/]+/\.k5login                              regular file       unconfined_u:object_r:krb5_home_t:s0 
/home/staff/\.k5login                              regular file       staff_u:object_r:krb5_home_t:s0 
/home/sysadm/\.k5login                             regular file       sysadm_u:object_r:krb5_home_t:s0 
/root/\.k5login                                    regular file       system_u:object_r:krb5_home_t:s0

      For mysql user, which is special since it has home directory /var/lib/mysql and that directory is labeled with mysqld_db_t, the files do not get the proper label, but inherit the label of the home directory:

      # matchpathcon /var/lib/mysql/.k5login
/var/lib/mysql/.k5login	system_u:object_r:mysqld_db_t:s0

      This breaks Kerberos usage for pgsql user.

      Please add the necessary fcontext and rules in the policy:

      # semanage fcontext -a -t krb5_home_t /var/lib/mysql/\.k5login
# semanage fcontext -a -t krb5_home_t /var/lib/mysql/\.k5users
# semanage fcontext -a -t krb5_home_t /var/lib/mysql/\.k5identity

# cat mysqlhomedir_krb5.te
[...]
filetrans_pattern(named_filetrans_domain, mysqld_db_t, krb5_home_t, file, ".k5login")
filetrans_pattern(named_filetrans_domain, mysqld_db_t, krb5_home_t, file, ".k5users")
filetrans_pattern(named_filetrans_domain, mysqld_db_t, krb5_home_t, file, ".k5identity")

      What is the impact of this issue to you?

      Breaks Kerberos when /var/lib/mysql gets relabeled.

      Please provide the package NVR for which the bug is seen:

      All OS releases.

              rh-ee-psloboda Pavol Sloboda
              rhn-support-rmetrich Renaud Métrich
              Michal Schorm Michal Schorm
              Vaclav Danek Vaclav Danek
              Votes:
              0 Vote for this issue
              Watchers:
              11 Start watching this issue

                Created:
                Updated: