Bug 858872
Summary: | KDC incremental propagation fails when iprop_full_resync is attempted by kadmind | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Karl Grose <karlgrose> | ||||
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||
Status: | CLOSED NEXTRELEASE | QA Contact: | BaseOS QE Security Team <qe-baseos-security> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 6.3 | CC: | dpal, dwalsh, jplans | ||||
Target Milestone: | rc | ||||||
Target Release: | --- | ||||||
Hardware: | x86_64 | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2013-10-02 21:06:36 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Karl Grose
2012-09-19 21:19:18 UTC
Do you have the audit logs messages which were produced when you did this? Some of the additions made in your module are probably specific to your use of port 755, while I expect that the policy changes would want to be parameterized around a named port type (akin to the kerberos_admin_port_t and kprop_port_t which already exist), to which 755/tcp could be added. Created attachment 615516 [details]
audit.log events related to kadmind
audit log events used to create policy with audit2allow
Thanks for those - kprop, which historically was run from a shell or a cron job, and which therefore could do things like establish network connections and use keytabs without issue, is being invoked by kadmind here, and the SELinux domain in which kadmind runs has not previously been allowed to do most of these things. I don't have a problem allowing these. These seem weird allow kadmind_t dhcpd_port_t:tcp_socket name_bind; allow kadmind_t hi_reserved_port_t:tcp_socket name_bind; Is kadmind picking out random ports to bind to? This request was not resolved in time for the current release. Red Hat invites you to ask your support representative to propose this request, if still desired, for consideration in the next release of Red Hat Enterprise Linux. Karl, could you test how it looks with the latest policy http://people.redhat.com/dwalsh/SELinux/RHEL6/noarch/ (In reply to comment #7) > could you test how it looks with the latest policy > > http://people.redhat.com/dwalsh/SELinux/RHEL6/noarch/ This new policy does indeed look to resolve my issue. The full resync propagation was triggered and was allowed to complete without error. --Karl |