MLS enforcing and kerberos

Robert Story rstory at sparta.com
Fri Aug 22 16:51:02 UTC 2008 

I'm trying to switch a working kerberos server from targeted/enforcing
to mls/enforcing.  The krb5kdc daemon start fine, but kadmin does not.
There is a single avc in the audit log:

type=AVC msg=audit(1219421464.372:719): avc:  denied  { getattr } for  pid=2436 comm="kadmind" path="/var/tmp/kadmin_0" dev=dm-5 ino=82064 scontext=system_u:system_r:kadmind_t:s0-s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file

I ran this through audit2allow and loaded the module, with no luck. I
ran 'semodule -DB' to see what else was being hit and not audited, and
get quite a few more:

type=AVC msg=audit(1219421462.655:714): avc:  denied  { siginh } for  pid=2436 comm="kadmind" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:kadmind_t:s0-s15:c0.c1023 tclass=process
type=AVC msg=audit(1219421462.655:714): avc:  denied  { rlimitinh } for  pid=2436 comm="kadmind" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:kadmind_t:s0-s15:c0.c1023 tclass=process
type=AVC msg=audit(1219421462.655:714): avc:  denied  { noatsecure } for  pid=2436 comm="kadmind" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:kadmind_t:s0-s15:c0.c1023 tclass=process
type=SYSCALL msg=audit(1219421462.655:714): arch=14 syscall=11 success=yes exit=0 a0=100f1600 a1=100f13b0 a2=100f03d8 a3=0 items=0 ppid=2435 pid=2436 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=5 comm="kadmind" exe="/usr/kerberos/sbin/kadmind" subj=system_u:system_r:kadmind_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1219421462.668:715): avc:  denied  { read } for  pid=2436 comm="kadmind" name="config" dev=dm-5 ino=57734 scontext=system_u:system_r:kadmind_t:s0-s15:c0.c1023 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
type=SYSCALL msg=audit(1219421462.668:715): arch=14 syscall=5 success=no exit=-13 a0=1fcdc380 a1=10000 a2=1b6 a3=0 items=0 ppid=2435 pid=2436 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=5 comm="kadmind" exe="/usr/kerberos/sbin/kadmind" subj=system_u:system_r:kadmind_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1219421462.670:716): avc:  denied  { write } for  pid=2436 comm="kadmind" name="kdc.conf" dev=dm-5 ino=82034 scontext=system_u:system_r:kadmind_t:s0-s15:c0.c1023 tcontext=system_u:object_r:krb5kdc_conf_t:s0 tclass=file
type=SYSCALL msg=audit(1219421462.670:716): arch=14 syscall=33 success=no exit=-13 a0=20020c30 a1=2 a2=1b6 a3=0 items=0 ppid=2435 pid=2436 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=5 comm="kadmind" exe="/usr/kerberos/sbin/kadmind" subj=system_u:system_r:kadmind_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1219421462.671:717): avc:  denied  { write } for  pid=2436 comm="kadmind" name="krb5.conf" dev=dm-5 ino=378227 scontext=system_u:system_r:kadmind_t:s0-s15:c0.c1023 tcontext=system_u:object_r:krb5_conf_t:s0 tclass=file
type=SYSCALL msg=audit(1219421462.671:717): arch=14 syscall=33 success=no exit=-13 a0=20020d20 a1=2 a2=1b6 a3=0 items=0 ppid=2435 pid=2436 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=5 comm="kadmind" exe="/usr/kerberos/sbin/kadmind" subj=system_u:system_r:kadmind_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1219421464.369:718): avc:  denied  { name_bind } for  pid=2436 comm="kadmind" src=916 scontext=system_u:system_r:kadmind_t:s0-s15:c0.c1023 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1219421464.369:718): arch=14 syscall=102 success=no exit=-13 a0=2 a1=bfb6c484 a2=10 a3=bfb6c5dc items=0 ppid=2435 pid=2436 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=5 comm="kadmind" exe="/usr/kerberos/sbin/kadmind" subj=system_u:system_r:kadmind_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1219421464.372:719): avc:  denied  { getattr } for  pid=2436 comm="kadmind" path="/var/tmp/kadmin_0" dev=dm-5 ino=82064 scontext=system_u:system_r:kadmind_t:s0-s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file
type=SYSCALL msg=audit(1219421464.372:719): arch=14 syscall=195 success=no exit=-13 a0=203136c0 a1=bfb6c120 a2=bfb6c120 a3=0 items=0 ppid=2435 pid=2436 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=5 comm="kadmind" exe="/usr/kerberos/sbin/kadmind" subj=system_u:system_r:kadmind_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1219421464.405:720): avc:  denied  { getattr } for  pid=2436 comm="kadmind" path="/var/tmp/kadmin_0" dev=dm-5 ino=82064 scontext=system_u:system_r:kadmind_t:s0-s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file
type=SYSCALL msg=audit(1219421464.405:720): arch=14 syscall=195 success=no exit=-13 a0=20409ad8 a1=bfb6c120 a2=bfb6c120 a3=0 items=0 ppid=2435 pid=2436 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=5 comm="kadmind" exe="/usr/kerberos/sbin/kadmind" subj=system_u:system_r:kadmind_t:s0-s15:c0.c1023 key=(null)


running this through audit2allow and loading the module doesn't help
either...  What can I try next?

-- 
Robert Story
SPARTA
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20080822/c1674e79/attachment.sig>

More information about the fedora-selinux-list mailing list