FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 07-01-2008, 11:37 PM
Robert Story
 
Default kerberos server + enforcing mode?

Hi,

I'm trying to set up a kerberos KDC on a clean up-to-date F9 box in
enforcing mode. I'm following an online tutorial, and I get to the
point where I'm trying to set the default policy, and the command fails
with "modify_principal: Insufficient access to lock database". Some
googling turned up 2 suggestions: switcing to permissive mode, or
stopping kadmin and restarting it manually, instead of using the
service command. Both of those solutions worked. Is there some policy
piece missing?

Also, I get an error when starting krb5kdc:

Starting Kerberos 5 KDC: Couldn't open log file /var/log/krb5kdc.log: Permission denied

The accompanying avc is:

Jul 1 18:04:55 tib kernel: type=1400 audit(1214949895.536:4): avc: denied { create } for pid=1839 comm="krb5kdc" name="krb5kdc.log" scontext=unconfined_u:system_r:krb5kdc_t:s0 tcontext=system_ubject_r:krb5kdc_log_t:s0 tclass=file

kadmind starts fine, and kadmind.log is created without a problem...

--
Robert Story
SPARTA
--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 07-03-2008, 06:56 PM
Daniel J Walsh
 
Default kerberos server + enforcing mode?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Robert Story wrote:
> Hi,
>
> I'm trying to set up a kerberos KDC on a clean up-to-date F9 box in
> enforcing mode. I'm following an online tutorial, and I get to the
> point where I'm trying to set the default policy, and the command fails
> with "modify_principal: Insufficient access to lock database". Some
> googling turned up 2 suggestions: switcing to permissive mode, or
> stopping kadmin and restarting it manually, instead of using the
> service command. Both of those solutions worked. Is there some policy
> piece missing?
>
> Also, I get an error when starting krb5kdc:
>
> Starting Kerberos 5 KDC: Couldn't open log file /var/log/krb5kdc.log: Permission denied
>
> The accompanying avc is:
>
> Jul 1 18:04:55 tib kernel: type=1400 audit(1214949895.536:4): avc: denied { create } for pid=1839 comm="krb5kdc" name="krb5kdc.log" scontext=unconfined_u:system_r:krb5kdc_t:s0 tcontext=system_ubject_r:krb5kdc_log_t:s0 tclass=file
>
> kadmind starts fine, and kadmind.log is created without a problem...
>
>
>
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Seems you stumbled upon a strange avc.

If you type

# touch /var/log/krb5kdc.log
# restorecon /var/log/krb5kdc.log

Then start the service, does it work?

If I run your avc through audit2why

# audit2allow -w -i /tmp/t
ul 1 18:04:55 tib kernel: type=1400 audit(1214949895.536:4): avc:
denied { create } for pid=1839 comm="krb5kdc" name="krb5kdc.log"
scontext=unconfined_u:system_r:krb5kdc_t:s0
tcontext=system_ubject_r:krb5kdc_log_t:s0 tclass=file

Was caused by:
Policy constraint violation.

May require adding a type attribute to the domain or type to satisfy
the constraint.

Constraints are defined in the policy sources in policy/constraints
(general), policy/mcs (MCS), and policy/mls (MLS).


It tells me you have a constraint violation. Looking further at the
context, I see that the krbkdc is running as

unconfined_u:system_r:krb5kdc_t

And trying to create

system_u:system_r:krbkdc_log_t

I notice the user parts are different, and I realize the Kerberos has
SELinux knowledge in it. So the kerberos libraries are trying to set
the file context directly to match what the system says it should be,
but SELinux policy does not allow krbkdc_t to create files owned by a
different SELinux user (system_u).

This is a long way of saying I need to update the policy to allow
krbkdc_t to create the file.

Fixed in selinux-policy-3.3.1-76.fc9.noarch
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkhtIMsACgkQrlYvE4MpobPOxgCfV/Cg9ox3OJMqhF0QXWTHKdnh
VUkAnji49eoeoGxlmYwOItZPxRCwyzY/
=TEZb
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 07-09-2008, 09:03 PM
Robert Story
 
Default kerberos server + enforcing mode?

On Thu, 3 Jul 2008 14:56:11 -0400 Daniel wrote:
DJW> Robert Story wrote:
DJW> >
DJW> > I'm trying to set up a kerberos KDC on a clean up-to-date F9 box in
DJW> > enforcing mode. [...] Also, I get an error when starting krb5kdc:
DJW> >
DJW> > Starting Kerberos 5 KDC: Couldn't open log file /var/log/krb5kdc.log: Permission denied
DJW> >
DJW> > The accompanying avc is:
DJW> >
DJW> > Jul 1 18:04:55 tib kernel: type=1400 audit(1214949895.536:4): avc: denied { create } for pid=1839 comm="krb5kdc" name="krb5kdc.log" scontext=unconfined_u:system_r:krb5kdc_t:s0 tcontext=system_ubject_r:krb5kdc_log_t:s0 tclass=file
DJW> >
DJW> Seems you stumbled upon a strange avc.
DJW>
DJW> If you type
DJW>
DJW> # touch /var/log/krb5kdc.log
DJW> # restorecon /var/log/krb5kdc.log
DJW>
DJW> Then start the service, does it work?

yep.

DJW> This is a long way of saying I need to update the policy to allow
DJW> krbkdc_t to create the file.
DJW>
DJW> Fixed in selinux-policy-3.3.1-76.fc9.noarch

Ok.. while waiting for that, I used audit2allow to load the following
policy:

module mypolicy0807091636 1.0;

require {
type krb5kdc_t;
type krb5kdc_log_t;
class file { create };
}

#============= krb5kdc_t ==============
allow krb5kdc_t krb5kdc_log_t:file create;


But I'm still getting the avc.. What else is missing?

--
Robert Story
SPARTA
--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 07-09-2008, 09:20 PM
Robert Story
 
Default kerberos server + enforcing mode?

I'm still getting "modify_principal: Insufficient access to lock
database" error messages when trying to use kadmin in enforcing mode.I
ran 'semodule -DB' to re-enable don't audit messages, and I've attached
what I get when trying to run a kadmin command to add a principal
(after starting kadmind/krb5kdc... kadmin.log seems to be ok). Any
hint, tips or policy modules greatly appreciated...

--
Robert Story
SPARTA
--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 07-10-2008, 07:31 PM
Daniel J Walsh
 
Default kerberos server + enforcing mode?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Robert Story wrote:
> I'm still getting "modify_principal: Insufficient access to lock
> database" error messages when trying to use kadmin in enforcing mode.I
> ran 'semodule -DB' to re-enable don't audit messages, and I've attached
> what I get when trying to run a kadmin command to add a principal
> (after starting kadmind/krb5kdc... kadmin.log seems to be ok). Any
> hint, tips or policy modules greatly appreciated...
>
>
>
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Looks like this one is causing your problem.


Looks like the files were created with the wrong labels or kadmin is not
allowed to create.

restorecon -R -v /var/kerberos

I am fixing the policy to allow the creation of the lock files with the
correct label.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkh2Y4AACgkQrlYvE4MpobOlUgCgguLXylG2BP mDBEaKvw+INpjk
uz0AnR1POUQwI+KnWvwZuzZHxxEekK+p
=scDr
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 07-14-2008, 01:07 PM
Daniel J Walsh
 
Default kerberos server + enforcing mode?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Daniel J Walsh wrote:
> Robert Story wrote:
>> I'm still getting "modify_principal: Insufficient access to lock
>> database" error messages when trying to use kadmin in enforcing mode.I
>> ran 'semodule -DB' to re-enable don't audit messages, and I've attached
>> what I get when trying to run a kadmin command to add a principal
>> (after starting kadmind/krb5kdc... kadmin.log seems to be ok). Any
>> hint, tips or policy modules greatly appreciated...
>
>
>
>> ------------------------------------------------------------------------
>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> Looks like this one is causing your problem.
>
>
> Looks like the files were created with the wrong labels or kadmin is not
> allowed to create.
>
> restorecon -R -v /var/kerberos
>
> I am fixing the policy to allow the creation of the lock files with the
> correct label.
We are working on this and should have a fix soon. For now you can use
audit2allow to generate custom policy.
- --
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkh7T3YACgkQrlYvE4MpobM9JACffs3fs+nam6 RyGOB+j7XxqwKk
l+wAn0pQjytMbwlWSm83qy/a8TrWxCLY
=rpmB
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 01:13 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org