-
Bug
-
Resolution: Unresolved
-
Normal
-
rhel-9.6, rhel-10.0
-
selinux-policy-38.1.68-1.el9
-
No
-
Low
-
1
-
rhel-security-selinux
-
14
-
1
-
QE ack
-
False
-
False
-
-
No
-
SELINUX 251119: 15
-
Pass
-
Automated
-
Release Note Not Required
-
Unspecified
-
Unspecified
-
Unspecified
-
None
What were you trying to do that didn't work?
As per policy <HOMEDIR>/.k5login and similar files have to get label krb5_home_t:
# semanage fcontext -l | grep k5login /home/[^/]+/\.k5login regular file unconfined_u:object_r:krb5_home_t:s0 /home/staff/\.k5login regular file staff_u:object_r:krb5_home_t:s0 /home/sysadm/\.k5login regular file sysadm_u:object_r:krb5_home_t:s0 /root/\.k5login regular file system_u:object_r:krb5_home_t:s0
For pgsql user, which is special since it has home directory /var/lib/pgsql and that directory is labeled with postgresql_db_t, the files do not get the proper label, but inherit the label of the home directory:
# matchpathcon /var/lib/pgsql/.k5login /var/lib/pgsql/.k5login system_u:object_r:postgresql_db_t:s0
This breaks Kerberos usage for pgsql user.
Please add the necessary fcontext and rules in the policy:
# semanage fcontext -a -t krb5_home_t /var/lib/pgsql/\.k5login # semanage fcontext -a -t krb5_home_t /var/lib/pgsql/\.k5users # semanage fcontext -a -t krb5_home_t /var/lib/pgsql/\.k5identity # cat pgsqlhomedir_krb5.te [...] filetrans_pattern(named_filetrans_domain, postgresql_db_t, krb5_home_t, file, ".k5login") filetrans_pattern(named_filetrans_domain, postgresql_db_t, krb5_home_t, file, ".k5users") filetrans_pattern(named_filetrans_domain, postgresql_db_t, krb5_home_t, file, ".k5identity")
What is the impact of this issue to you?
Breaks Kerberos when /var/lib/pgsql gets relabeled.
Please provide the package NVR for which the bug is seen:
All OS releases.
- clones
-
-
- Release Pending
-
- relates to
-
-
- In Progress
-
- links to
-
RHBA-2025:155428
selinux-policy update