I'm trying to switch a working kerberos server from targeted/enforcing to mls/enforcing. The krb5kdc daemon start fine, but kadmin does not. There is a single avc in the audit log:
type=AVC msg=audit(1219421464.372:719): avc: denied { getattr } for pid=2436 comm="kadmind" path="/var/tmp/kadmin_0" dev=dm-5 ino=82064 scontext=system_u:system_r:kadmind_t:s0-s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file
I ran this through audit2allow and loaded the module, with no luck. I ran 'semodule -DB' to see what else was being hit and not audited, and get quite a few more:
type=AVC msg=audit(1219421462.655:714): avc: denied { siginh } for pid=2436 comm="kadmind" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:kadmind_t:s0-s15:c0.c1023 tclass=process type=AVC msg=audit(1219421462.655:714): avc: denied { rlimitinh } for pid=2436 comm="kadmind" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:kadmind_t:s0-s15:c0.c1023 tclass=process type=AVC msg=audit(1219421462.655:714): avc: denied { noatsecure } for pid=2436 comm="kadmind" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:kadmind_t:s0-s15:c0.c1023 tclass=process type=SYSCALL msg=audit(1219421462.655:714): arch=14 syscall=11 success=yes exit=0 a0=100f1600 a1=100f13b0 a2=100f03d8 a3=0 items=0 ppid=2435 pid=2436 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=5 comm="kadmind" exe="/usr/kerberos/sbin/kadmind" subj=system_u:system_r:kadmind_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1219421462.668:715): avc: denied { read } for pid=2436 comm="kadmind" name="config" dev=dm-5 ino=57734 scontext=system_u:system_r:kadmind_t:s0-s15:c0.c1023 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file type=SYSCALL msg=audit(1219421462.668:715): arch=14 syscall=5 success=no exit=-13 a0=1fcdc380 a1=10000 a2=1b6 a3=0 items=0 ppid=2435 pid=2436 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=5 comm="kadmind" exe="/usr/kerberos/sbin/kadmind" subj=system_u:system_r:kadmind_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1219421462.670:716): avc: denied { write } for pid=2436 comm="kadmind" name="kdc.conf" dev=dm-5 ino=82034 scontext=system_u:system_r:kadmind_t:s0-s15:c0.c1023 tcontext=system_u:object_r:krb5kdc_conf_t:s0 tclass=file type=SYSCALL msg=audit(1219421462.670:716): arch=14 syscall=33 success=no exit=-13 a0=20020c30 a1=2 a2=1b6 a3=0 items=0 ppid=2435 pid=2436 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=5 comm="kadmind" exe="/usr/kerberos/sbin/kadmind" subj=system_u:system_r:kadmind_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1219421462.671:717): avc: denied { write } for pid=2436 comm="kadmind" name="krb5.conf" dev=dm-5 ino=378227 scontext=system_u:system_r:kadmind_t:s0-s15:c0.c1023 tcontext=system_u:object_r:krb5_conf_t:s0 tclass=file type=SYSCALL msg=audit(1219421462.671:717): arch=14 syscall=33 success=no exit=-13 a0=20020d20 a1=2 a2=1b6 a3=0 items=0 ppid=2435 pid=2436 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=5 comm="kadmind" exe="/usr/kerberos/sbin/kadmind" subj=system_u:system_r:kadmind_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1219421464.369:718): avc: denied { name_bind } for pid=2436 comm="kadmind" src=916 scontext=system_u:system_r:kadmind_t:s0-s15:c0.c1023 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1219421464.369:718): arch=14 syscall=102 success=no exit=-13 a0=2 a1=bfb6c484 a2=10 a3=bfb6c5dc items=0 ppid=2435 pid=2436 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=5 comm="kadmind" exe="/usr/kerberos/sbin/kadmind" subj=system_u:system_r:kadmind_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1219421464.372:719): avc: denied { getattr } for pid=2436 comm="kadmind" path="/var/tmp/kadmin_0" dev=dm-5 ino=82064 scontext=system_u:system_r:kadmind_t:s0-s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file type=SYSCALL msg=audit(1219421464.372:719): arch=14 syscall=195 success=no exit=-13 a0=203136c0 a1=bfb6c120 a2=bfb6c120 a3=0 items=0 ppid=2435 pid=2436 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=5 comm="kadmind" exe="/usr/kerberos/sbin/kadmind" subj=system_u:system_r:kadmind_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1219421464.405:720): avc: denied { getattr } for pid=2436 comm="kadmind" path="/var/tmp/kadmin_0" dev=dm-5 ino=82064 scontext=system_u:system_r:kadmind_t:s0-s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file type=SYSCALL msg=audit(1219421464.405:720): arch=14 syscall=195 success=no exit=-13 a0=20409ad8 a1=bfb6c120 a2=bfb6c120 a3=0 items=0 ppid=2435 pid=2436 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=5 comm="kadmind" exe="/usr/kerberos/sbin/kadmind" subj=system_u:system_r:kadmind_t:s0-s15:c0.c1023 key=(null)
running this through audit2allow and loading the module doesn't help either... What can I try next?
On Fri, 2008-08-22 at 12:51 -0400, Robert Story wrote:
I'm trying to switch a working kerberos server from targeted/enforcing to mls/enforcing. The krb5kdc daemon start fine, but kadmin does not. There is a single avc in the audit log:
type=AVC msg=audit(1219421464.372:719): avc: denied { getattr } for pid=2436 comm="kadmind" path="/var/tmp/kadmin_0" dev=dm-5 ino=82064 scontext=system_u:system_r:kadmind_t:s0-s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file
The real question there is why is that file labeled unlabeled_t? That usually indicates that its context was invalidated, e.g. you removed the type from the policy?
On Fri, 22 Aug 2008 13:07:48 -0400 Stephen wrote: SS> > type=AVC msg=audit(1219421464.372:719): avc: denied { getattr } for SS> > pid=2436 comm="kadmind" path="/var/tmp/kadmin_0" dev=dm-5 ino=82064 SS> > scontext=system_u:system_r:kadmind_t:s0-s15:c0.c1023 SS> > tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file SS> SS> The real question there is why is that file labeled unlabeled_t? That SS> usually indicates that its context was invalidated, e.g. you removed the SS> type from the policy?
I haven't touched policy... The file must be left over from when the box was running in targeted mode... I did relabel, but then there's this:
/etc/selinux/mls/contexts/files/file_contexts:/var/tmp/.* <<none>>
SS> BTW, aside from the wrong type on the file, the denial is clearly a MLS SS> denial - look at the levels on the two contexts. You have a process SS> whose current/low level is s0 (aka SystemLow) trying to getattr (read SS> flow) a file at s15:c0.c1023 (aka SystemHigh). No surprises there. SS> The high level of the process is only used as a ceiling for newrole -l SS> or if the process' domain has certain MLS privileges allowing it to act SS> up to its ceiling.
I couldn't delete the file in enforcing mode, even after 'newrole -l SystemHigh'. So I dropped to permissive and deleted the file. After that, kadmin started fine and the file was recreated with SystemLow.
Robert Story wrote:
On Fri, 22 Aug 2008 13:07:48 -0400 Stephen wrote: SS> > type=AVC msg=audit(1219421464.372:719): avc: denied { getattr } for SS> > pid=2436 comm="kadmind" path="/var/tmp/kadmin_0" dev=dm-5 ino=82064 SS> > scontext=system_u:system_r:kadmind_t:s0-s15:c0.c1023 SS> > tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file SS> SS> The real question there is why is that file labeled unlabeled_t? That SS> usually indicates that its context was invalidated, e.g. you removed the SS> type from the policy?
I haven't touched policy... The file must be left over from when the box was running in targeted mode... I did relabel, but then there's this:
/etc/selinux/mls/contexts/files/file_contexts:/var/tmp/.* <<none>>
SS> BTW, aside from the wrong type on the file, the denial is clearly a MLS SS> denial - look at the levels on the two contexts. You have a process SS> whose current/low level is s0 (aka SystemLow) trying to getattr (read SS> flow) a file at s15:c0.c1023 (aka SystemHigh). No surprises there. SS> The high level of the process is only used as a ceiling for newrole -l SS> or if the process' domain has certain MLS privileges allowing it to act SS> up to its ceiling.
I couldn't delete the file in enforcing mode, even after 'newrole -l SystemHigh'. So I dropped to permissive and deleted the file. After that, kadmin started fine and the file was recreated with SystemLow.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Relabeling does not clean up /tmp files since we have no idea what to label these. So it is best when changing over if you remove all files from /tmp. Better yet use a tmpfs :^)
On Fri, 2008-08-22 at 12:51 -0400, Robert Story wrote:
I'm trying to switch a working kerberos server from targeted/enforcing to mls/enforcing. The krb5kdc daemon start fine, but kadmin does not. There is a single avc in the audit log:
type=AVC msg=audit(1219421464.372:719): avc: denied { getattr } for pid=2436 comm="kadmind" path="/var/tmp/kadmin_0" dev=dm-5 ino=82064 scontext=system_u:system_r:kadmind_t:s0-s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file
BTW, aside from the wrong type on the file, the denial is clearly a MLS denial - look at the levels on the two contexts. You have a process whose current/low level is s0 (aka SystemLow) trying to getattr (read flow) a file at s15:c0.c1023 (aka SystemHigh). No surprises there. The high level of the process is only used as a ceiling for newrole -l or if the process' domain has certain MLS privileges allowing it to act up to its ceiling.
selinux@lists.fedoraproject.org