kerberos server + enforcing mode?

Daniel J Walsh dwalsh at redhat.com
Thu Jul 3 18:56:11 UTC 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Robert Story wrote:
> Hi,
> 
> I'm trying to set up a kerberos KDC on a clean up-to-date F9 box in
> enforcing mode. I'm following an online tutorial, and I get to the
> point where I'm trying to set the default policy, and the command fails
> with "modify_principal: Insufficient access to lock database". Some
> googling turned up 2 suggestions: switcing to permissive mode, or
> stopping kadmin and restarting it manually, instead of using the
> service command.  Both of those solutions worked. Is there some policy
> piece missing?
> 
> Also, I get an error when starting krb5kdc:
> 
> Starting Kerberos 5 KDC: Couldn't open log file /var/log/krb5kdc.log: Permission denied
> 
> The accompanying avc is:
> 
> Jul  1 18:04:55 tib kernel: type=1400 audit(1214949895.536:4): avc:  denied  { create } for  pid=1839 comm="krb5kdc" name="krb5kdc.log" scontext=unconfined_u:system_r:krb5kdc_t:s0 tcontext=system_u:object_r:krb5kdc_log_t:s0 tclass=file
> 
> kadmind starts fine, and kadmind.log is created without a problem...
> 
> 
> 
> ------------------------------------------------------------------------
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Seems you stumbled upon a strange avc.

If you type

# touch /var/log/krb5kdc.log
# restorecon /var/log/krb5kdc.log

Then start the service, does it work?

If I run your avc through audit2why

# audit2allow -w -i /tmp/t
ul  1 18:04:55 tib kernel: type=1400 audit(1214949895.536:4): avc:
denied  { create } for  pid=1839 comm="krb5kdc" name="krb5kdc.log"
scontext=unconfined_u:system_r:krb5kdc_t:s0
tcontext=system_u:object_r:krb5kdc_log_t:s0 tclass=file

	Was caused by:
		Policy constraint violation.

		May require adding a type attribute to the domain or type to satisfy
the constraint.

		Constraints are defined in the policy sources in policy/constraints
(general), policy/mcs (MCS), and policy/mls (MLS).


It tells me you have a constraint violation.  Looking further at the
context, I see that the krbkdc is running as

unconfined_u:system_r:krb5kdc_t

And trying to create

system_u:system_r:krbkdc_log_t

I notice the user parts are different, and I realize the Kerberos has
SELinux knowledge in it.  So the kerberos libraries are trying to set
the file context directly to match what the system says it should be,
but SELinux policy does not allow krbkdc_t to create files owned by a
different SELinux user (system_u).

This is a long way of saying I need to update the policy to allow
krbkdc_t to create the file.

Fixed in selinux-policy-3.3.1-76.fc9.noarch
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkhtIMsACgkQrlYvE4MpobPOxgCfV/Cg9ox3OJMqhF0QXWTHKdnh
VUkAnji49eoeoGxlmYwOItZPxRCwyzY/
=TEZb
-----END PGP SIGNATURE-----

More information about the fedora-selinux-list mailing list