Bug 672289
Summary: | selinux blocks samba from creating /etc/krb5.keytab | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Jeff Bastian <jbastian> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED ERRATA | QA Contact: | Ales Zelinka <azelinka> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 5.5 | CC: | azelinka, dwalsh, nalin, ssorce |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-2.4.6-301.el5 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2011-07-21 09:19:30 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jeff Bastian
2011-01-24 17:55:56 UTC
Does samba net actually create the keytab file? It tries but it fails to create the keytab: [root@vm104 samba]# getenforce Enforcing [root@vm104 samba]# net ads keytab create -U Administrator Administrator's password: [root@vm104 samba]# echo $? 2 [root@vm104 samba]# ls -l /etc/krb5.keytab ls: /etc/krb5.keytab: No such file or directory However, if I put it in Permissive mode, it succeeds: [root@vm104 samba]# setenforce 0 [root@vm104 samba]# net ads keytab create -U Administrator Administrator's password: [root@vm104 samba]# echo $? 0 [root@vm104 samba]# ls -l /etc/krb5.keytab -rw------- 1 root root 644 Jan 24 14:12 /etc/krb5.keytab [root@vm104 samba]# ls -lZ /etc/krb5.keytab -rw------- root root system_u:object_r:krb5_keytab_t /etc/krb5.keytab Miroslav the Rawhide policy now supports this. Can you back port it to RHEL5 and RHEL6. In my testing, I needed a type_transition rule also in my module to create the keytab with krb5_keytab_t type instead of etc_t: [root@vm104 keytab]# cat smbkeytab.te policy_module(smbkeytab, 1.4) require { type samba_net_t; type krb5_keytab_t; type etc_t; class dir { write add_name }; class file { write getattr read lock create }; } #============= samba_net_t ============== allow samba_net_t etc_t:dir { write add_name }; allow samba_net_t krb5_keytab_t:file { read write create getattr lock }; type_transition samba_net_t etc_t:file krb5_keytab_t; With this module, I was able to create a keytab with the net command: [root@vm104 keytab]# rm /etc/krb5.keytab [root@vm104 keytab]# net ads keytab create -U Administrator Administrator's password: [root@vm104 keytab]# ls -lZ /etc/krb5.keytab -rw------- root root root:object_r:krb5_keytab_t /etc/krb5.keytab Nice job. The policy we added actually looks like ######################################## ## <summary> ## Create keytab file in /etc ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`kerberos_etc_filetrans_keytab',` gen_require(` type krb5_keytab_t; ') allow $1 krb5_keytab_t:file manage_file_perms; files_etc_filetrans($1, krb5_keytab_t, file) ') kerberos_etc_filetrans_keytab(samba_net_t) Which matches the policy you wrote. Fixed in selinux-policy-2.4.6-301.el5 An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-1069.html An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-1069.html |