Bug 252978 - start of kadmin is impossible
start of kadmin is impossible
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
7
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks: 253558
  Show dependency treegraph
 
Reported: 2007-08-16 09:02 EDT by Adam Tkac
Modified: 2013-04-30 19:37 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-08-21 05:31:06 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Adam Tkac 2007-08-16 09:02:40 EDT
Description of problem:
I tried configure kadmin server and start it. Not succesfull due SELinux denials

Version-Release number of selected component (if applicable):
rpm -q selinux-policy
selinux-policy-2.6.4-38.fc7
rpm -q krb5-server
krb5-server-1.6.1-2.1.fc7

How reproducible:
always

Steps to Reproduce:
1. service kadmin start
  
Actual results:
log says:
type=SYSCALL msg=audit(1187269176.181:79): arch=40000003 syscall=195 success=no
exit=-13 a0=803e8088 a1=bf95f158 a2=6f2ff4 a3=803e8088 items=0 ppid=1908
pid=1909 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="kadmind" exe="/usr/kerberos/sbin/kadmind"
subj=root:system_r:kadmind_t:s0 key=(null)
type=AVC_PATH msg=audit(1187269176.181:79):  path="/var/tmp/kadmin_0"
type=AVC msg=audit(1187269176.181:80): avc:  denied  { getattr } for  pid=1909
comm="kadmind" name="kadmin_0" dev=xvda1 ino=228765
scontext=root:system_r:kadmind_t:s0 tcontext=root:object_r:tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1187269176.181:80): arch=40000003 syscall=195 success=no
exit=-13 a0=803e7b90 a1=bf95f158 a2=6f2ff4 a3=803e7b90 items=0 ppid=1908
pid=1909 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="kadmind" exe="/usr/kerberos/sbin/kadmind"
subj=root:system_r:kadmind_t:s0 key=(null)
type=AVC_PATH msg=audit(1187269176.181:80):  path="/var/tmp/kadmin_0"


Expected results:
no denial
Comment 1 Daniel Walsh 2007-08-17 06:35:37 EDT
Looks like the kadmin_0 file was created by a program that was not confined? 
kadmind is supposed to create tmp files labeled kadmind_tmp_t.  But this file
looks like it was created by an unconfined process?

If you chcon -t kadmind_tmp_t /var/tmp/kadmin*

kadmind should work.  But the question is how did this file get created?
Comment 2 Adam Tkac 2007-08-17 06:58:08 EDT
Hm, interesting. I'm not able reproduce this now. Maybe that I didn't have
configured kdc before start kadmin and simply tried service kadmin start. If
this also can't create mislabeled /var/tmp/kadmin/_file_ close this bug
Comment 4 Daniel Walsh 2007-08-20 16:06:17 EDT
If you executed kadmind directly, ie not via an initscript, it would not
transition to kadmind_t but stay in unconfined_t.  This would cause these files
to be created with the wrong context.  Then if later you ran the apps via the
initscript you could cause this.
Comment 6 Adam Tkac 2007-08-21 05:31:06 EDT
(In reply to comment #4)
> If you executed kadmind directly, ie not via an initscript, it would not
> transition to kadmind_t but stay in unconfined_t.  This would cause these files
> to be created with the wrong context.  Then if later you ran the apps via the
> initscript you could cause this.

Yeah. This is problem. I remember that I run kadmind directly and after that
with initscript. Closing

Note You need to log in before you can comment on or make changes to this bug.