Bug 196952 - Kerberos KDC unable to "replay cache" with SELinux targeted
Summary: Kerberos KDC unable to "replay cache" with SELinux targeted
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: rawhide
Hardware: All
OS: Linux
medium
high
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact: Brian Brock
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-06-27 19:52 UTC by W. Michael Petullo
Modified: 2007-11-30 22:11 UTC (History)
2 users (show)

Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-08-22 14:16:52 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
AVC log when trying to start krb5kdc with SELinux enforcing the targeted policy (814 bytes, application/octet-stream)
2006-06-27 19:54 UTC, W. Michael Petullo
no flags Details
AVC log when trying to start krb5kdc with SELinux set as permissive (6.55 KB, text/plain)
2006-07-03 20:30 UTC, W. Michael Petullo
no flags Details

Description W. Michael Petullo 2006-06-27 19:52:41 UTC
Description of problem:
Occasionally, after I restart a system that runs krb5kdc, krb5kdc fails to
start.  This seems to be caused by SELinux's targeted policy.

Version-Release number of selected component (if applicable):
krb5-server-1.4.3-4.1

How reproducible:
Sometimes

Steps to Reproduce:
1. Configure the system to run krb5kdc + SELinux targeted
2. Reboot
  
Actual results:
/var/log/krb5kdc.log says:

krb5kdc: Permission denied in replay cache code - while initializing KDC replay
cache 'dfl:krb5kdc_rcache'

Expected results:
The Kerberos KDC should start.

Additional info:
I reported this bug previously, but it was lost when the Bugzilla database
failed a few weeks ago.

Comment 1 W. Michael Petullo 2006-06-27 19:54:22 UTC
Created attachment 131630 [details]
AVC log when trying to start krb5kdc with SELinux enforcing the targeted policy

Comment 2 W. Michael Petullo 2006-07-03 20:30:41 UTC
Created attachment 131888 [details]
AVC log when trying to start krb5kdc with SELinux set as permissive

Comment 3 Daniel Walsh 2006-07-11 16:58:54 UTC
Fixed in selinux-policy-2.3.2-1.fc5


Comment 4 W. Michael Petullo 2006-07-11 20:13:59 UTC
Selinux-policy-2.3.2-1.fc5 seems to fix this.  The problem did not occur every
time, so I am not sure.  I've rebooted several times with no issues.  I will
close this bug and reopen it if I notice the problem in the future.

Comment 5 W. Michael Petullo 2006-08-13 21:09:43 UTC
Selinux-policy-targeted-2.3.2-1 just demonstrated this issue.

With policy enforcing:

type=AVC msg=audit(1155324251.250:69): avc:  denied  { getattr } for  pid=2537
comm="krb5kdc" name="krb5kdc_rcache" dev=hda2 ino=197127
scontext=root:system_r:krb5kdc_t:s0 tcontext=root:object_r:tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1155324251.250:69): arch=40000003 syscall=195 success=no
exit=-13 a0=9fba7b0 a1=bff14e18 a2=56eff4 a3=9fba7b0 items=1 pid=2537 auid=0
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
comm="krb5kdc" exe="/usr/kerberos/sbin/krb5kdc" subj=root:system_r:krb5kdc_t:s0
type=AVC_PATH msg=audit(1155324251.250:69):  path="/var/tmp/krb5kdc_rcache"
type=CWD msg=audit(1155324251.250:69):  cwd="/root"
type=PATH msg=audit(1155324251.250:69): item=0 name="/var/tmp/krb5kdc_rcache"
inode=197127 dev=03:02 mode=0100600 ouid=0 ogid=0 rdev=00:00
obj=root:object_r:tmp_t:s0

With policy in permissive mode:

type=AVC msg=audit(1155324280.539:71): avc:  denied  { getattr } for  pid=2554
comm="krb5kdc" name="krb5kdc_rcache" dev=hda2 ino=197127
scontext=root:system_r:krb5kdc_t:s0 tcontext=root:object_r:tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1155324280.539:71): arch=40000003 syscall=195 success=yes
exit=0 a0=924b7b0 a1=bfe787a8 a2=35fff4 a3=924b7b0 items=1 pid=2554 auid=0 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty2 comm="krb5kdc"
exe="/usr/kerberos/sbin/krb5kdc" subj=root:system_r:krb5kdc_t:s0
type=AVC_PATH msg=audit(1155324280.539:71):  path="/var/tmp/krb5kdc_rcache"
type=CWD msg=audit(1155324280.539:71):  cwd="/root"
type=PATH msg=audit(1155324280.539:71): item=0 name="/var/tmp/krb5kdc_rcache"
inode=197127 dev=03:02 mode=0100600 ouid=0 ogid=0 rdev=00:00
obj=root:object_r:tmp_t:s0
type=AVC msg=audit(1155324280.539:72): avc:  denied  { read write } for 
pid=2554 comm="krb5kdc" name="krb5kdc_rcache" dev=hda2 ino=197127
scontext=root:system_r:krb5kdc_t:s0 tcontext=root:object_r:tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1155324280.539:72): arch=40000003 syscall=5 success=yes
exit=6 a0=924b7b0 a1=8002 a2=0 a3=8002 items=1 pid=2554 auid=0 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty2 comm="krb5kdc"
exe="/usr/kerberos/sbin/krb5kdc" subj=root:system_r:krb5kdc_t:s0
type=CWD msg=audit(1155324280.539:72):  cwd="/root"
type=PATH msg=audit(1155324280.539:72): item=0 name="/var/tmp/krb5kdc_rcache"
inode=197127 dev=03:02 mode=0100600 ouid=0 ogid=0 rdev=00:00
obj=root:object_r:tmp_t:s0
type=AVC msg=audit(1155324280.587:73): avc:  denied  { unlink } for  pid=2554
comm="krb5kdc" name="krb5kdc_rcache" dev=hda2 ino=197127
scontext=root:system_r:krb5kdc_t:s0 tcontext=root:object_r:tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1155324280.587:73): arch=40000003 syscall=38 success=yes
exit=0 a0=924b880 a1=924b780 a2=f2a03c a3=924b82c items=2 pid=2554 auid=0 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty2 comm="krb5kdc"
exe="/usr/kerberos/sbin/krb5kdc" subj=root:system_r:krb5kdc_t:s0
type=CWD msg=audit(1155324280.587:73):  cwd="/root"
type=PATH msg=audit(1155324280.587:73): item=0 name="/var/tmp/krb5_RC2554aaa"
parent=196612 inode=197592 dev=03:02 mode=0100600 ouid=0 ogid=0 rdev=00:00
obj=root:object_r:krb5kdc_tmp_t:s0
type=PATH msg=audit(1155324280.587:73): item=1 name="/var/tmp/krb5kdc_rcache"
parent=196612 inode=197127 dev=03:02 mode=0100600 ouid=0 ogid=0 rdev=00:00
obj=root:object_r:tmp_t:s0


Comment 6 Daniel Walsh 2006-08-28 18:23:19 UTC
The latest policy selinux-policy-2.3.7-1 and greater in FC5 and rawhide has
these allow rules

allow krb5kdc_t krb5kdc_tmp_t:dir create_dir_perms;
allow krb5kdc_t krb5kdc_tmp_t:file create_file_perms;
files_tmp_filetrans(krb5kdc_t, krb5kdc_tmp_t, { file dir })

Which should handle this situation.

YOu might need to relabel your cache file
chcon -t krb5kdc_tmp_t, /var/tmp/krb5_RC2554aaa

Comment 7 W. Michael Petullo 2006-11-28 01:34:21 UTC
Okay, the policy now seems okay.  However, should something change so that
/var/tmp/krb5* does not end up with the wrong context?  This happens somewhat
frequently when the computer is restarted.

Comment 8 Daniel Walsh 2006-11-28 11:47:41 UTC
Is something in the init script clearing it on reboot?    This file should not
get the wrong context on reboot.

Comment 9 W. Michael Petullo 2006-11-29 00:11:47 UTC
[root@golem tmp]# ls -lZ /var/tmp/
-rw-------  root root root:object_r:tmp_t              krb5kdc_rcache

The file does not have the right context right now.  It does not appear that it
is created with the right context.  But, if I "/etc/init.d/krb5kdc restart," the
context changes:

[root@golem tmp]# ls -lZ
-rw-------  root root root:object_r:krb5kdc_tmp_t      krb5kdc_rcache

I'm not yet clear what causes the context to be incorrect.

Comment 10 W. Michael Petullo 2007-01-29 00:21:02 UTC
I set this bug to high because the krb5kdc process on a server may not come back
up on reboot.

Comment 11 Daniel Walsh 2007-02-01 21:04:27 UTC
Have you run the krb5kdc by outside of the init scripts?  This would cause it to
run as unconfined_t and would cause the tmp_t problem.

Comment 12 W. Michael Petullo 2007-02-01 23:54:47 UTC
No.  Typically krb5kdc is started by the init scripts when I boot.  The
exception is when this bug causes its execution to fail.  In this case I use
/etc/init.d/krb5kdc start manually.

Comment 13 Daniel Walsh 2007-02-06 14:09:34 UTC
Well I have no idea,  Are you still seeing this file show up with the wrong label?

Comment 14 Daniel Walsh 2007-08-22 14:16:52 UTC
Should be fixed in the current release



Note You need to log in before you can comment on or make changes to this bug.