FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 08-22-2008, 04:51 PM
Robert Story
 
Default MLS enforcing and kerberos

I'm trying to switch a working kerberos server from targeted/enforcing
to mls/enforcing. The krb5kdc daemon start fine, but kadmin does not.
There is a single avc in the audit log:

type=AVC msg=audit(1219421464.372:719): avc: denied { getattr } for pid=2436 comm="kadmind" path="/var/tmp/kadmin_0" dev=dm-5 ino=82064 scontext=system_u:system_r:kadmind_t:s0-s15:c0.c1023 tcontext=system_ubject_r:unlabeled_t:s15:c0.c102 3 tclass=file

I ran this through audit2allow and loaded the module, with no luck. I
ran 'semodule -DB' to see what else was being hit and not audited, and
get quite a few more:

type=AVC msg=audit(1219421462.655:714): avc: denied { siginh } for pid=2436 comm="kadmind" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:kadmind_t:s0-s15:c0.c1023 tclass=process
type=AVC msg=audit(1219421462.655:714): avc: denied { rlimitinh } for pid=2436 comm="kadmind" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:kadmind_t:s0-s15:c0.c1023 tclass=process
type=AVC msg=audit(1219421462.655:714): avc: denied { noatsecure } for pid=2436 comm="kadmind" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:kadmind_t:s0-s15:c0.c1023 tclass=process
type=SYSCALL msg=audit(1219421462.655:714): arch=14 syscall=11 success=yes exit=0 a0=100f1600 a1=100f13b0 a2=100f03d8 a3=0 items=0 ppid=2435 pid=2436 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=5 comm="kadmind" exe="/usr/kerberos/sbin/kadmind" subj=system_u:system_r:kadmind_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1219421462.668:715): avc: denied { read } for pid=2436 comm="kadmind" name="config" dev=dm-5 ino=57734 scontext=system_u:system_r:kadmind_t:s0-s15:c0.c1023 tcontext=system_ubject_r:selinux_config_t:s0 tclass=file
type=SYSCALL msg=audit(1219421462.668:715): arch=14 syscall=5 success=no exit=-13 a0=1fcdc380 a1=10000 a2=1b6 a3=0 items=0 ppid=2435 pid=2436 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=5 comm="kadmind" exe="/usr/kerberos/sbin/kadmind" subj=system_u:system_r:kadmind_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1219421462.670:716): avc: denied { write } for pid=2436 comm="kadmind" name="kdc.conf" dev=dm-5 ino=82034 scontext=system_u:system_r:kadmind_t:s0-s15:c0.c1023 tcontext=system_ubject_r:krb5kdc_conf_t:s0 tclass=file
type=SYSCALL msg=audit(1219421462.670:716): arch=14 syscall=33 success=no exit=-13 a0=20020c30 a1=2 a2=1b6 a3=0 items=0 ppid=2435 pid=2436 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=5 comm="kadmind" exe="/usr/kerberos/sbin/kadmind" subj=system_u:system_r:kadmind_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1219421462.671:717): avc: denied { write } for pid=2436 comm="kadmind" name="krb5.conf" dev=dm-5 ino=378227 scontext=system_u:system_r:kadmind_t:s0-s15:c0.c1023 tcontext=system_ubject_r:krb5_conf_t:s0 tclass=file
type=SYSCALL msg=audit(1219421462.671:717): arch=14 syscall=33 success=no exit=-13 a0=20020d20 a1=2 a2=1b6 a3=0 items=0 ppid=2435 pid=2436 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=5 comm="kadmind" exe="/usr/kerberos/sbin/kadmind" subj=system_u:system_r:kadmind_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1219421464.369:718): avc: denied { name_bind } for pid=2436 comm="kadmind" src=916 scontext=system_u:system_r:kadmind_t:s0-s15:c0.c1023 tcontext=system_ubject_r:hi_reserved_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1219421464.369:718): arch=14 syscall=102 success=no exit=-13 a0=2 a1=bfb6c484 a2=10 a3=bfb6c5dc items=0 ppid=2435 pid=2436 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=5 comm="kadmind" exe="/usr/kerberos/sbin/kadmind" subj=system_u:system_r:kadmind_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1219421464.372:719): avc: denied { getattr } for pid=2436 comm="kadmind" path="/var/tmp/kadmin_0" dev=dm-5 ino=82064 scontext=system_u:system_r:kadmind_t:s0-s15:c0.c1023 tcontext=system_ubject_r:unlabeled_t:s15:c0.c102 3 tclass=file
type=SYSCALL msg=audit(1219421464.372:719): arch=14 syscall=195 success=no exit=-13 a0=203136c0 a1=bfb6c120 a2=bfb6c120 a3=0 items=0 ppid=2435 pid=2436 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=5 comm="kadmind" exe="/usr/kerberos/sbin/kadmind" subj=system_u:system_r:kadmind_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1219421464.405:720): avc: denied { getattr } for pid=2436 comm="kadmind" path="/var/tmp/kadmin_0" dev=dm-5 ino=82064 scontext=system_u:system_r:kadmind_t:s0-s15:c0.c1023 tcontext=system_ubject_r:unlabeled_t:s15:c0.c102 3 tclass=file
type=SYSCALL msg=audit(1219421464.405:720): arch=14 syscall=195 success=no exit=-13 a0=20409ad8 a1=bfb6c120 a2=bfb6c120 a3=0 items=0 ppid=2435 pid=2436 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=5 comm="kadmind" exe="/usr/kerberos/sbin/kadmind" subj=system_u:system_r:kadmind_t:s0-s15:c0.c1023 key=(null)


running this through audit2allow and loading the module doesn't help
either... What can I try next?

--
Robert Story
SPARTA
--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 08-22-2008, 05:07 PM
Stephen Smalley
 
Default MLS enforcing and kerberos

On Fri, 2008-08-22 at 12:51 -0400, Robert Story wrote:
> I'm trying to switch a working kerberos server from targeted/enforcing
> to mls/enforcing. The krb5kdc daemon start fine, but kadmin does not.
> There is a single avc in the audit log:
>
> type=AVC msg=audit(1219421464.372:719): avc: denied { getattr } for
> pid=2436 comm="kadmind" path="/var/tmp/kadmin_0" dev=dm-5 ino=82064
> scontext=system_u:system_r:kadmind_t:s0-s15:c0.c1023
> tcontext=system_ubject_r:unlabeled_t:s15:c0.c102 3 tclass=file

The real question there is why is that file labeled unlabeled_t? That
usually indicates that its context was invalidated, e.g. you removed the
type from the policy?

--
Stephen Smalley
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 08-22-2008, 05:12 PM
Stephen Smalley
 
Default MLS enforcing and kerberos

On Fri, 2008-08-22 at 12:51 -0400, Robert Story wrote:
> I'm trying to switch a working kerberos server from targeted/enforcing
> to mls/enforcing. The krb5kdc daemon start fine, but kadmin does not.
> There is a single avc in the audit log:
>
> type=AVC msg=audit(1219421464.372:719): avc: denied { getattr } for pid=2436 comm="kadmind" path="/var/tmp/kadmin_0" dev=dm-5 ino=82064 scontext=system_u:system_r:kadmind_t:s0-s15:c0.c1023 tcontext=system_ubject_r:unlabeled_t:s15:c0.c102 3 tclass=file

BTW, aside from the wrong type on the file, the denial is clearly a MLS
denial - look at the levels on the two contexts. You have a process
whose current/low level is s0 (aka SystemLow) trying to getattr (read
flow) a file at s15:c0.c1023 (aka SystemHigh). No surprises there.
The high level of the process is only used as a ceiling for newrole -l
or if the process' domain has certain MLS privileges allowing it to act
up to its ceiling.

--
Stephen Smalley
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 08-22-2008, 07:21 PM
Robert Story
 
Default MLS enforcing and kerberos

On Fri, 22 Aug 2008 13:07:48 -0400 Stephen wrote:
SS> > type=AVC msg=audit(1219421464.372:719): avc: denied { getattr } for
SS> > pid=2436 comm="kadmind" path="/var/tmp/kadmin_0" dev=dm-5 ino=82064
SS> > scontext=system_u:system_r:kadmind_t:s0-s15:c0.c1023
SS> > tcontext=system_ubject_r:unlabeled_t:s15:c0.c102 3 tclass=file
SS>
SS> The real question there is why is that file labeled unlabeled_t? That
SS> usually indicates that its context was invalidated, e.g. you removed the
SS> type from the policy?

I haven't touched policy... The file must be left over from when the box
was running in targeted mode... I did relabel, but then there's this:

/etc/selinux/mls/contexts/files/file_contexts:/var/tmp/.* <<none>>

SS> BTW, aside from the wrong type on the file, the denial is clearly a MLS
SS> denial - look at the levels on the two contexts. You have a process
SS> whose current/low level is s0 (aka SystemLow) trying to getattr (read
SS> flow) a file at s15:c0.c1023 (aka SystemHigh). No surprises there.
SS> The high level of the process is only used as a ceiling for newrole -l
SS> or if the process' domain has certain MLS privileges allowing it to act
SS> up to its ceiling.

I couldn't delete the file in enforcing mode, even after 'newrole -l
SystemHigh'. So I dropped to permissive and deleted the file. After
that, kadmin started fine and the file was recreated with SystemLow.

--
Robert Story
SPARTA
--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 09-04-2008, 01:08 PM
Daniel J Walsh
 
Default MLS enforcing and kerberos

Robert Story wrote:
> On Fri, 22 Aug 2008 13:07:48 -0400 Stephen wrote:
> SS> > type=AVC msg=audit(1219421464.372:719): avc: denied { getattr } for
> SS> > pid=2436 comm="kadmind" path="/var/tmp/kadmin_0" dev=dm-5 ino=82064
> SS> > scontext=system_u:system_r:kadmind_t:s0-s15:c0.c1023
> SS> > tcontext=system_ubject_r:unlabeled_t:s15:c0.c102 3 tclass=file
> SS>
> SS> The real question there is why is that file labeled unlabeled_t? That
> SS> usually indicates that its context was invalidated, e.g. you removed the
> SS> type from the policy?
>
> I haven't touched policy... The file must be left over from when the box
> was running in targeted mode... I did relabel, but then there's this:
>
> /etc/selinux/mls/contexts/files/file_contexts:/var/tmp/.* <<none>>
>
> SS> BTW, aside from the wrong type on the file, the denial is clearly a MLS
> SS> denial - look at the levels on the two contexts. You have a process
> SS> whose current/low level is s0 (aka SystemLow) trying to getattr (read
> SS> flow) a file at s15:c0.c1023 (aka SystemHigh). No surprises there.
> SS> The high level of the process is only used as a ceiling for newrole -l
> SS> or if the process' domain has certain MLS privileges allowing it to act
> SS> up to its ceiling.
>
> I couldn't delete the file in enforcing mode, even after 'newrole -l
> SystemHigh'. So I dropped to permissive and deleted the file. After
> that, kadmin started fine and the file was recreated with SystemLow.
>
>
>
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Relabeling does not clean up /tmp files since we have no idea what to
label these. So it is best when changing over if you remove all files
from /tmp. Better yet use a tmpfs :^)

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 04:56 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org