Bug 672289
| Summary: | selinux blocks samba from creating /etc/krb5.keytab | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | Jeff Bastian <jbastian> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Ales Zelinka <azelinka> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 5.5 | CC: | azelinka, dwalsh, nalin, ssorce |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-2.4.6-301.el5 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-07-21 09:19:30 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Does samba net actually create the keytab file? It tries but it fails to create the keytab: [root@vm104 samba]# getenforce Enforcing [root@vm104 samba]# net ads keytab create -U Administrator Administrator's password: [root@vm104 samba]# echo $? 2 [root@vm104 samba]# ls -l /etc/krb5.keytab ls: /etc/krb5.keytab: No such file or directory However, if I put it in Permissive mode, it succeeds: [root@vm104 samba]# setenforce 0 [root@vm104 samba]# net ads keytab create -U Administrator Administrator's password: [root@vm104 samba]# echo $? 0 [root@vm104 samba]# ls -l /etc/krb5.keytab -rw------- 1 root root 644 Jan 24 14:12 /etc/krb5.keytab [root@vm104 samba]# ls -lZ /etc/krb5.keytab -rw------- root root system_u:object_r:krb5_keytab_t /etc/krb5.keytab Miroslav the Rawhide policy now supports this. Can you back port it to RHEL5 and RHEL6. In my testing, I needed a type_transition rule also in my module to create the keytab with krb5_keytab_t type instead of etc_t:
[root@vm104 keytab]# cat smbkeytab.te
policy_module(smbkeytab, 1.4)
require {
type samba_net_t;
type krb5_keytab_t;
type etc_t;
class dir { write add_name };
class file { write getattr read lock create };
}
#============= samba_net_t ==============
allow samba_net_t etc_t:dir { write add_name };
allow samba_net_t krb5_keytab_t:file { read write create getattr lock };
type_transition samba_net_t etc_t:file krb5_keytab_t;
With this module, I was able to create a keytab with the net command:
[root@vm104 keytab]# rm /etc/krb5.keytab
[root@vm104 keytab]# net ads keytab create -U Administrator
Administrator's password:
[root@vm104 keytab]# ls -lZ /etc/krb5.keytab
-rw------- root root root:object_r:krb5_keytab_t /etc/krb5.keytab
Nice job. The policy we added actually looks like ######################################## ## <summary> ## Create keytab file in /etc ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`kerberos_etc_filetrans_keytab',` gen_require(` type krb5_keytab_t; ') allow $1 krb5_keytab_t:file manage_file_perms; files_etc_filetrans($1, krb5_keytab_t, file) ') kerberos_etc_filetrans_keytab(samba_net_t) Which matches the policy you wrote. Fixed in selinux-policy-2.4.6-301.el5 An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-1069.html An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-1069.html |
Description of problem: When a RHEL system is joined to a Windows 2003 Active Directory domain, SELinux blocks the 'net' command from creating a kerberos keytab. Version-Release number of selected component (if applicable): selinux-policy-2.4.6-279.el5 samba-3.0.33-3.29.el5_5.1 How reproducible: every time Steps to Reproduce: 1. Configure Samba for the Win2k3 AD domain 2. net ads join -U <username> net ads keytab create -U <username> net ads keytab add HTTP -U <username> Actual results: The 'net' command cannot create /etc/krb5.keytab. The audit logs show: type=AVC msg=audit(1292852817.321:31760): avc: denied { read } for pid=30079 comm="net" name="krb5.keytab" dev=dm-0 ino=361813 scontext=root:system_r:samba_net_t:s0-s0:c0.c1023 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=file type=AVC msg=audit(1292852817.321:31761): avc: denied { lock } for pid=30079 comm="net" path="/etc/krb5.keytab" dev=dm-0 ino=361813 scontext=root:system_r:samba_net_t:s0-s0:c0.c1023 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=file type=AVC msg=audit(1292852817.321:31762): avc: denied { write } for pid=30079 comm="net" name="krb5.keytab" dev=dm-0 ino=361813 scontext=root:system_r:samba_net_t:s0-s0:c0.c1023 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=file type=AVC msg=audit(1292852817.329:31763): avc: denied { getattr } for pid=30079 comm="net" path="/etc/krb5.keytab" dev=dm-0 ino=361813 scontext=root:system_r:samba_net_t:s0-s0:c0.c1023 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=file type=AVC msg=audit(1292852852.671:31764): avc: denied { add_name } for pid=30091 comm="net" name="krb5.keytab" scontext=root:system_r:samba_net_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir type=AVC msg=audit(1292852852.671:31764): avc: denied { create } for pid=30091 comm="net" name="krb5.keytab" scontext=root:system_r:samba_net_t:s0-s0:c0.c1023 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=file Expected results: The 'net' command can create a kerberos keytab file. Additional info: audit2allow then produces the following: #============= samba_net_t ============== allow samba_net_t etc_t:dir add_name; allow samba_net_t krb5_keytab_t:file { read lock getattr write create };