This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 672289 - selinux blocks samba from creating /etc/krb5.keytab
selinux blocks samba from creating /etc/krb5.keytab
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.5
All Linux
medium Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
Ales Zelinka
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2011-01-24 12:55 EST by Jeff Bastian
Modified: 2012-12-14 12:52 EST (History)
4 users (show)

See Also:
Fixed In Version: selinux-policy-2.4.6-301.el5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-07-21 05:19:30 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Jeff Bastian 2011-01-24 12:55:56 EST
Description of problem:
When a RHEL system is joined to a Windows 2003 Active Directory domain, SELinux blocks the 'net' command from creating a kerberos keytab.


Version-Release number of selected component (if applicable):
selinux-policy-2.4.6-279.el5
samba-3.0.33-3.29.el5_5.1

How reproducible:
every time

Steps to Reproduce:
1. Configure Samba for the Win2k3 AD domain
2. net ads join -U <username>
   net ads keytab create -U <username>
   net ads keytab add HTTP -U <username>
  
Actual results:
The 'net' command cannot create /etc/krb5.keytab.  The audit logs show:
type=AVC msg=audit(1292852817.321:31760): avc: denied { read } for pid=30079 comm="net" name="krb5.keytab" dev=dm-0 ino=361813 scontext=root:system_r:samba_net_t:s0-s0:c0.c1023 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=file
type=AVC msg=audit(1292852817.321:31761): avc: denied { lock } for pid=30079 comm="net" path="/etc/krb5.keytab" dev=dm-0 ino=361813 scontext=root:system_r:samba_net_t:s0-s0:c0.c1023 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=file
type=AVC msg=audit(1292852817.321:31762): avc: denied { write } for pid=30079 comm="net" name="krb5.keytab" dev=dm-0 ino=361813 scontext=root:system_r:samba_net_t:s0-s0:c0.c1023 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=file
type=AVC msg=audit(1292852817.329:31763): avc: denied { getattr } for pid=30079 comm="net" path="/etc/krb5.keytab" dev=dm-0 ino=361813 scontext=root:system_r:samba_net_t:s0-s0:c0.c1023 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=file
type=AVC msg=audit(1292852852.671:31764): avc: denied { add_name } for pid=30091 comm="net" name="krb5.keytab" scontext=root:system_r:samba_net_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir
type=AVC msg=audit(1292852852.671:31764): avc: denied { create } for pid=30091 comm="net" name="krb5.keytab" scontext=root:system_r:samba_net_t:s0-s0:c0.c1023 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=file 

Expected results:
The 'net' command can create a kerberos keytab file.

Additional info:
audit2allow then produces the following:

#============= samba_net_t ==============
allow samba_net_t etc_t:dir add_name;
allow samba_net_t krb5_keytab_t:file { read lock getattr write create };
Comment 2 Daniel Walsh 2011-01-24 13:16:41 EST
Does samba net actually create the keytab file?
Comment 3 Jeff Bastian 2011-01-24 14:14:21 EST
It tries but it fails to create the keytab:

[root@vm104 samba]# getenforce
Enforcing
[root@vm104 samba]# net ads keytab create -U Administrator
Administrator's password: 
[root@vm104 samba]# echo $?
2
[root@vm104 samba]# ls -l /etc/krb5.keytab
ls: /etc/krb5.keytab: No such file or directory


However, if I put it in Permissive mode, it succeeds:

[root@vm104 samba]# setenforce 0
[root@vm104 samba]# net ads keytab create -U Administrator
Administrator's password: 
[root@vm104 samba]# echo $?
0
[root@vm104 samba]# ls -l /etc/krb5.keytab
-rw------- 1 root root 644 Jan 24 14:12 /etc/krb5.keytab
[root@vm104 samba]# ls -lZ /etc/krb5.keytab 
-rw-------  root root system_u:object_r:krb5_keytab_t  /etc/krb5.keytab
Comment 5 Daniel Walsh 2011-01-24 16:06:58 EST
Miroslav the Rawhide policy now supports this.  Can you back port it to RHEL5 and RHEL6.
Comment 6 Jeff Bastian 2011-01-24 16:56:03 EST
In my testing, I needed a type_transition rule also in my module to create the keytab with krb5_keytab_t type instead of etc_t:

[root@vm104 keytab]# cat smbkeytab.te
policy_module(smbkeytab, 1.4)

require {
        type samba_net_t;
        type krb5_keytab_t;
        type etc_t;
        class dir { write add_name };
        class file { write getattr read lock create };
}

#============= samba_net_t ==============
allow samba_net_t etc_t:dir { write add_name };
allow samba_net_t krb5_keytab_t:file { read write create getattr lock };

type_transition samba_net_t etc_t:file krb5_keytab_t;



With this module, I was able to create a keytab with the net command:

[root@vm104 keytab]# rm /etc/krb5.keytab
[root@vm104 keytab]# net ads keytab create -U Administrator
Administrator's password: 
[root@vm104 keytab]# ls -lZ /etc/krb5.keytab
-rw-------  root root root:object_r:krb5_keytab_t      /etc/krb5.keytab
Comment 7 Daniel Walsh 2011-01-24 17:02:12 EST
Nice job.

The policy we added actually looks like

########################################
## <summary>
##	Create keytab file in /etc
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`kerberos_etc_filetrans_keytab',`
	gen_require(`
		type krb5_keytab_t;
	')

	allow $1 krb5_keytab_t:file manage_file_perms;
	files_etc_filetrans($1, krb5_keytab_t, file)
')

kerberos_etc_filetrans_keytab(samba_net_t)

Which matches the policy you wrote.
Comment 9 Miroslav Grepl 2011-03-01 12:08:58 EST
Fixed in selinux-policy-2.4.6-301.el5
Comment 12 errata-xmlrpc 2011-07-21 05:19:30 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1069.html
Comment 13 errata-xmlrpc 2011-07-21 07:50:25 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1069.html

Note You need to log in before you can comment on or make changes to this bug.