Bug 167287

Summary: Kerberos authentication cannot be used with FreeRADIUS due to SELinux
Product: [Fedora] Fedora Reporter: Joachim Selke <mail>
Component: selinux-policy-targetedAssignee: Thomas Woerner <twoerner>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 4   
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: FC5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-09-22 02:16:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Joachim Selke 2005-09-01 11:29:17 UTC 
Description of problem:
To use Kerberos authentication with FreeRADIUS the FreeRADIUS module krb5 can be
used (in /etc/raddb/radiusd.conf). This module needs access to /etc/krb5.conf
which is denied by SELinux.

All files have been relabeled before, so every security context should be
correct (selinux-policy-targeted.noarch-1.25.4-10).

When starting FreeRADIUS there are the following messages in
/var/log/audit/audit.log:

type=AVC msg=audit(1125573605.065:755): avc:  denied  { getattr } for  pid=11155
comm="radiusd" name="krb5.conf" dev=sda3 ino=328743
scontext=root:system_r:radiusd_t tcontext=system_u:object_r:krb5_conf_t tclass=file
type=SYSCALL msg=audit(1125573605.065:755): arch=c000003e syscall=4 success=no
exit=-13 a0=55555577f0f8 a1=7fffffc92cd0 a2=7fffffc92cd0 a3=2aaaabb26000 items=1
pid=11155 auid=0 uid=95 gid=95 euid=95 suid=95 fsuid=95 egid=95 sgid=95 fsgid=95
comm="radiusd" exe="/usr/sbin/radiusd"
type=AVC_PATH msg=audit(1125573605.065:755):  path="/etc/krb5.conf"
type=CWD msg=audit(1125573605.065:755):  cwd="/"
type=PATH msg=audit(1125573605.065:755): item=0 name="/etc/krb5.conf" flags=1 
inode=328743 dev=08:03 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1125573605.065:756): avc:  denied  { getattr } for  pid=11155
comm="radiusd" name="krb5.conf" dev=sda3 ino=328743
scontext=root:system_r:radiusd_t tcontext=system_u:object_r:krb5_conf_t tclass=file
type=SYSCALL msg=audit(1125573605.065:756): arch=c000003e syscall=4 success=no
exit=-13 a0=55555577f0f8 a1=7fffffc92cd0 a2=7fffffc92cd0 a3=4 items=1 pid=11155
auid=0 uid=95 gid=95 euid=95 suid=95 fsuid=95 egid=95 sgid=95 fsgid=95
comm="radiusd" exe="/usr/sbin/radiusd"
type=AVC_PATH msg=audit(1125573605.065:756):  path="/etc/krb5.conf"
type=CWD msg=audit(1125573605.065:756):  cwd="/"
type=PATH msg=audit(1125573605.065:756): item=0 name="/etc/krb5.conf" flags=1 
inode=328743 dev=08:03 mode=0100644 ouid=0 ogid=0 rdev=00:00


Version-Release number of selected component (if applicable):
freeradius.x86_64-1.0.4-1.FC4.1


How reproducible:
Every time.


Steps to Reproduce:
1. service radiusd start

  
Actual results:
start of service succeeds, but the krb5 module is not working


Expected results:
krb5 module is working, because it has access to the Kerberos configuration in
/etc/krb5.conf
Comment 1 Daniel Walsh 2005-11-03 19:06:33 UTC 
Fixed in selinux-policy-targeted.noarch-1.25.4-13
Comment 2 Joachim Selke 2005-11-05 18:31:44 UTC 
I use selinux-policy-targeted-1.27.1-2.11 and the problem (exactly as mentioned
above) is still there. A reboot (with autorelabel) does not change this.
Comment 3 Joachim Selke 2005-11-28 20:19:35 UTC 
The bug is fixed in selinux-policy-targeted-1.27.1-2.14. Thanks.
Comment 4 Bill Nottingham 2006-09-22 02:16:47 UTC 
Closing bugs in MODIFIED state from prior Fedora releases. If this bug persists
in a current Fedora release (such as Fedora Core 5 or later), please reopen and
set the version appropriately.