Description of problem: Occasionally, after I restart a system that runs krb5kdc, krb5kdc fails to start. This seems to be caused by SELinux's targeted policy. Version-Release number of selected component (if applicable): krb5-server-1.4.3-4.1 How reproducible: Sometimes Steps to Reproduce: 1. Configure the system to run krb5kdc + SELinux targeted 2. Reboot Actual results: /var/log/krb5kdc.log says: krb5kdc: Permission denied in replay cache code - while initializing KDC replay cache 'dfl:krb5kdc_rcache' Expected results: The Kerberos KDC should start. Additional info: I reported this bug previously, but it was lost when the Bugzilla database failed a few weeks ago.
Created attachment 131630 [details] AVC log when trying to start krb5kdc with SELinux enforcing the targeted policy
Created attachment 131888 [details] AVC log when trying to start krb5kdc with SELinux set as permissive
Fixed in selinux-policy-2.3.2-1.fc5
Selinux-policy-2.3.2-1.fc5 seems to fix this. The problem did not occur every time, so I am not sure. I've rebooted several times with no issues. I will close this bug and reopen it if I notice the problem in the future.
Selinux-policy-targeted-2.3.2-1 just demonstrated this issue. With policy enforcing: type=AVC msg=audit(1155324251.250:69): avc: denied { getattr } for pid=2537 comm="krb5kdc" name="krb5kdc_rcache" dev=hda2 ino=197127 scontext=root:system_r:krb5kdc_t:s0 tcontext=root:object_r:tmp_t:s0 tclass=file type=SYSCALL msg=audit(1155324251.250:69): arch=40000003 syscall=195 success=no exit=-13 a0=9fba7b0 a1=bff14e18 a2=56eff4 a3=9fba7b0 items=1 pid=2537 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="krb5kdc" exe="/usr/kerberos/sbin/krb5kdc" subj=root:system_r:krb5kdc_t:s0 type=AVC_PATH msg=audit(1155324251.250:69): path="/var/tmp/krb5kdc_rcache" type=CWD msg=audit(1155324251.250:69): cwd="/root" type=PATH msg=audit(1155324251.250:69): item=0 name="/var/tmp/krb5kdc_rcache" inode=197127 dev=03:02 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=root:object_r:tmp_t:s0 With policy in permissive mode: type=AVC msg=audit(1155324280.539:71): avc: denied { getattr } for pid=2554 comm="krb5kdc" name="krb5kdc_rcache" dev=hda2 ino=197127 scontext=root:system_r:krb5kdc_t:s0 tcontext=root:object_r:tmp_t:s0 tclass=file type=SYSCALL msg=audit(1155324280.539:71): arch=40000003 syscall=195 success=yes exit=0 a0=924b7b0 a1=bfe787a8 a2=35fff4 a3=924b7b0 items=1 pid=2554 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty2 comm="krb5kdc" exe="/usr/kerberos/sbin/krb5kdc" subj=root:system_r:krb5kdc_t:s0 type=AVC_PATH msg=audit(1155324280.539:71): path="/var/tmp/krb5kdc_rcache" type=CWD msg=audit(1155324280.539:71): cwd="/root" type=PATH msg=audit(1155324280.539:71): item=0 name="/var/tmp/krb5kdc_rcache" inode=197127 dev=03:02 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=root:object_r:tmp_t:s0 type=AVC msg=audit(1155324280.539:72): avc: denied { read write } for pid=2554 comm="krb5kdc" name="krb5kdc_rcache" dev=hda2 ino=197127 scontext=root:system_r:krb5kdc_t:s0 tcontext=root:object_r:tmp_t:s0 tclass=file type=SYSCALL msg=audit(1155324280.539:72): arch=40000003 syscall=5 success=yes exit=6 a0=924b7b0 a1=8002 a2=0 a3=8002 items=1 pid=2554 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty2 comm="krb5kdc" exe="/usr/kerberos/sbin/krb5kdc" subj=root:system_r:krb5kdc_t:s0 type=CWD msg=audit(1155324280.539:72): cwd="/root" type=PATH msg=audit(1155324280.539:72): item=0 name="/var/tmp/krb5kdc_rcache" inode=197127 dev=03:02 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=root:object_r:tmp_t:s0 type=AVC msg=audit(1155324280.587:73): avc: denied { unlink } for pid=2554 comm="krb5kdc" name="krb5kdc_rcache" dev=hda2 ino=197127 scontext=root:system_r:krb5kdc_t:s0 tcontext=root:object_r:tmp_t:s0 tclass=file type=SYSCALL msg=audit(1155324280.587:73): arch=40000003 syscall=38 success=yes exit=0 a0=924b880 a1=924b780 a2=f2a03c a3=924b82c items=2 pid=2554 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty2 comm="krb5kdc" exe="/usr/kerberos/sbin/krb5kdc" subj=root:system_r:krb5kdc_t:s0 type=CWD msg=audit(1155324280.587:73): cwd="/root" type=PATH msg=audit(1155324280.587:73): item=0 name="/var/tmp/krb5_RC2554aaa" parent=196612 inode=197592 dev=03:02 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=root:object_r:krb5kdc_tmp_t:s0 type=PATH msg=audit(1155324280.587:73): item=1 name="/var/tmp/krb5kdc_rcache" parent=196612 inode=197127 dev=03:02 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=root:object_r:tmp_t:s0
The latest policy selinux-policy-2.3.7-1 and greater in FC5 and rawhide has these allow rules allow krb5kdc_t krb5kdc_tmp_t:dir create_dir_perms; allow krb5kdc_t krb5kdc_tmp_t:file create_file_perms; files_tmp_filetrans(krb5kdc_t, krb5kdc_tmp_t, { file dir }) Which should handle this situation. YOu might need to relabel your cache file chcon -t krb5kdc_tmp_t, /var/tmp/krb5_RC2554aaa
Okay, the policy now seems okay. However, should something change so that /var/tmp/krb5* does not end up with the wrong context? This happens somewhat frequently when the computer is restarted.
Is something in the init script clearing it on reboot? This file should not get the wrong context on reboot.
[root@golem tmp]# ls -lZ /var/tmp/ -rw------- root root root:object_r:tmp_t krb5kdc_rcache The file does not have the right context right now. It does not appear that it is created with the right context. But, if I "/etc/init.d/krb5kdc restart," the context changes: [root@golem tmp]# ls -lZ -rw------- root root root:object_r:krb5kdc_tmp_t krb5kdc_rcache I'm not yet clear what causes the context to be incorrect.
I set this bug to high because the krb5kdc process on a server may not come back up on reboot.
Have you run the krb5kdc by outside of the init scripts? This would cause it to run as unconfined_t and would cause the tmp_t problem.
No. Typically krb5kdc is started by the init scripts when I boot. The exception is when this bug causes its execution to fail. In this case I use /etc/init.d/krb5kdc start manually.
Well I have no idea, Are you still seeing this file show up with the wrong label?
Should be fixed in the current release