This service will be undergoing maintenance at 00:00 UTC, 2016-09-28. It is expected to last about 1 hours
Bug 196952 - Kerberos KDC unable to "replay cache" with SELinux targeted
Kerberos KDC unable to "replay cache" with SELinux targeted
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
rawhide
All Linux
medium Severity high
: ---
: ---
Assigned To: Nalin Dahyabhai
Brian Brock
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-06-27 15:52 EDT by W. Michael Petullo
Modified: 2007-11-30 17:11 EST (History)
2 users (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-08-22 10:16:52 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
AVC log when trying to start krb5kdc with SELinux enforcing the targeted policy (814 bytes, application/octet-stream)
2006-06-27 15:54 EDT, W. Michael Petullo
no flags Details
AVC log when trying to start krb5kdc with SELinux set as permissive (6.55 KB, text/plain)
2006-07-03 16:30 EDT, W. Michael Petullo
no flags Details

  None (edit)
Description W. Michael Petullo 2006-06-27 15:52:41 EDT
Description of problem:
Occasionally, after I restart a system that runs krb5kdc, krb5kdc fails to
start.  This seems to be caused by SELinux's targeted policy.

Version-Release number of selected component (if applicable):
krb5-server-1.4.3-4.1

How reproducible:
Sometimes

Steps to Reproduce:
1. Configure the system to run krb5kdc + SELinux targeted
2. Reboot
  
Actual results:
/var/log/krb5kdc.log says:

krb5kdc: Permission denied in replay cache code - while initializing KDC replay
cache 'dfl:krb5kdc_rcache'

Expected results:
The Kerberos KDC should start.

Additional info:
I reported this bug previously, but it was lost when the Bugzilla database
failed a few weeks ago.
Comment 1 W. Michael Petullo 2006-06-27 15:54:22 EDT
Created attachment 131630 [details]
AVC log when trying to start krb5kdc with SELinux enforcing the targeted policy
Comment 2 W. Michael Petullo 2006-07-03 16:30:41 EDT
Created attachment 131888 [details]
AVC log when trying to start krb5kdc with SELinux set as permissive
Comment 3 Daniel Walsh 2006-07-11 12:58:54 EDT
Fixed in selinux-policy-2.3.2-1.fc5
Comment 4 W. Michael Petullo 2006-07-11 16:13:59 EDT
Selinux-policy-2.3.2-1.fc5 seems to fix this.  The problem did not occur every
time, so I am not sure.  I've rebooted several times with no issues.  I will
close this bug and reopen it if I notice the problem in the future.
Comment 5 W. Michael Petullo 2006-08-13 17:09:43 EDT
Selinux-policy-targeted-2.3.2-1 just demonstrated this issue.

With policy enforcing:

type=AVC msg=audit(1155324251.250:69): avc:  denied  { getattr } for  pid=2537
comm="krb5kdc" name="krb5kdc_rcache" dev=hda2 ino=197127
scontext=root:system_r:krb5kdc_t:s0 tcontext=root:object_r:tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1155324251.250:69): arch=40000003 syscall=195 success=no
exit=-13 a0=9fba7b0 a1=bff14e18 a2=56eff4 a3=9fba7b0 items=1 pid=2537 auid=0
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
comm="krb5kdc" exe="/usr/kerberos/sbin/krb5kdc" subj=root:system_r:krb5kdc_t:s0
type=AVC_PATH msg=audit(1155324251.250:69):  path="/var/tmp/krb5kdc_rcache"
type=CWD msg=audit(1155324251.250:69):  cwd="/root"
type=PATH msg=audit(1155324251.250:69): item=0 name="/var/tmp/krb5kdc_rcache"
inode=197127 dev=03:02 mode=0100600 ouid=0 ogid=0 rdev=00:00
obj=root:object_r:tmp_t:s0

With policy in permissive mode:

type=AVC msg=audit(1155324280.539:71): avc:  denied  { getattr } for  pid=2554
comm="krb5kdc" name="krb5kdc_rcache" dev=hda2 ino=197127
scontext=root:system_r:krb5kdc_t:s0 tcontext=root:object_r:tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1155324280.539:71): arch=40000003 syscall=195 success=yes
exit=0 a0=924b7b0 a1=bfe787a8 a2=35fff4 a3=924b7b0 items=1 pid=2554 auid=0 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty2 comm="krb5kdc"
exe="/usr/kerberos/sbin/krb5kdc" subj=root:system_r:krb5kdc_t:s0
type=AVC_PATH msg=audit(1155324280.539:71):  path="/var/tmp/krb5kdc_rcache"
type=CWD msg=audit(1155324280.539:71):  cwd="/root"
type=PATH msg=audit(1155324280.539:71): item=0 name="/var/tmp/krb5kdc_rcache"
inode=197127 dev=03:02 mode=0100600 ouid=0 ogid=0 rdev=00:00
obj=root:object_r:tmp_t:s0
type=AVC msg=audit(1155324280.539:72): avc:  denied  { read write } for 
pid=2554 comm="krb5kdc" name="krb5kdc_rcache" dev=hda2 ino=197127
scontext=root:system_r:krb5kdc_t:s0 tcontext=root:object_r:tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1155324280.539:72): arch=40000003 syscall=5 success=yes
exit=6 a0=924b7b0 a1=8002 a2=0 a3=8002 items=1 pid=2554 auid=0 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty2 comm="krb5kdc"
exe="/usr/kerberos/sbin/krb5kdc" subj=root:system_r:krb5kdc_t:s0
type=CWD msg=audit(1155324280.539:72):  cwd="/root"
type=PATH msg=audit(1155324280.539:72): item=0 name="/var/tmp/krb5kdc_rcache"
inode=197127 dev=03:02 mode=0100600 ouid=0 ogid=0 rdev=00:00
obj=root:object_r:tmp_t:s0
type=AVC msg=audit(1155324280.587:73): avc:  denied  { unlink } for  pid=2554
comm="krb5kdc" name="krb5kdc_rcache" dev=hda2 ino=197127
scontext=root:system_r:krb5kdc_t:s0 tcontext=root:object_r:tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1155324280.587:73): arch=40000003 syscall=38 success=yes
exit=0 a0=924b880 a1=924b780 a2=f2a03c a3=924b82c items=2 pid=2554 auid=0 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty2 comm="krb5kdc"
exe="/usr/kerberos/sbin/krb5kdc" subj=root:system_r:krb5kdc_t:s0
type=CWD msg=audit(1155324280.587:73):  cwd="/root"
type=PATH msg=audit(1155324280.587:73): item=0 name="/var/tmp/krb5_RC2554aaa"
parent=196612 inode=197592 dev=03:02 mode=0100600 ouid=0 ogid=0 rdev=00:00
obj=root:object_r:krb5kdc_tmp_t:s0
type=PATH msg=audit(1155324280.587:73): item=1 name="/var/tmp/krb5kdc_rcache"
parent=196612 inode=197127 dev=03:02 mode=0100600 ouid=0 ogid=0 rdev=00:00
obj=root:object_r:tmp_t:s0
Comment 6 Daniel Walsh 2006-08-28 14:23:19 EDT
The latest policy selinux-policy-2.3.7-1 and greater in FC5 and rawhide has
these allow rules

allow krb5kdc_t krb5kdc_tmp_t:dir create_dir_perms;
allow krb5kdc_t krb5kdc_tmp_t:file create_file_perms;
files_tmp_filetrans(krb5kdc_t, krb5kdc_tmp_t, { file dir })

Which should handle this situation.

YOu might need to relabel your cache file
chcon -t krb5kdc_tmp_t, /var/tmp/krb5_RC2554aaa
Comment 7 W. Michael Petullo 2006-11-27 20:34:21 EST
Okay, the policy now seems okay.  However, should something change so that
/var/tmp/krb5* does not end up with the wrong context?  This happens somewhat
frequently when the computer is restarted.
Comment 8 Daniel Walsh 2006-11-28 06:47:41 EST
Is something in the init script clearing it on reboot?    This file should not
get the wrong context on reboot.
Comment 9 W. Michael Petullo 2006-11-28 19:11:47 EST
[root@golem tmp]# ls -lZ /var/tmp/
-rw-------  root root root:object_r:tmp_t              krb5kdc_rcache

The file does not have the right context right now.  It does not appear that it
is created with the right context.  But, if I "/etc/init.d/krb5kdc restart," the
context changes:

[root@golem tmp]# ls -lZ
-rw-------  root root root:object_r:krb5kdc_tmp_t      krb5kdc_rcache

I'm not yet clear what causes the context to be incorrect.
Comment 10 W. Michael Petullo 2007-01-28 19:21:02 EST
I set this bug to high because the krb5kdc process on a server may not come back
up on reboot.
Comment 11 Daniel Walsh 2007-02-01 16:04:27 EST
Have you run the krb5kdc by outside of the init scripts?  This would cause it to
run as unconfined_t and would cause the tmp_t problem.
Comment 12 W. Michael Petullo 2007-02-01 18:54:47 EST
No.  Typically krb5kdc is started by the init scripts when I boot.  The
exception is when this bug causes its execution to fail.  In this case I use
/etc/init.d/krb5kdc start manually.
Comment 13 Daniel Walsh 2007-02-06 09:09:34 EST
Well I have no idea,  Are you still seeing this file show up with the wrong label?
Comment 14 Daniel Walsh 2007-08-22 10:16:52 EDT
Should be fixed in the current release

Note You need to log in before you can comment on or make changes to this bug.