Description of problem: When a RHEL system is joined to a Windows 2003 Active Directory domain, SELinux blocks the 'net' command from creating a kerberos keytab. Version-Release number of selected component (if applicable): selinux-policy-2.4.6-279.el5 samba-3.0.33-3.29.el5_5.1 How reproducible: every time Steps to Reproduce: 1. Configure Samba for the Win2k3 AD domain 2. net ads join -U <username> net ads keytab create -U <username> net ads keytab add HTTP -U <username> Actual results: The 'net' command cannot create /etc/krb5.keytab. The audit logs show: type=AVC msg=audit(1292852817.321:31760): avc: denied { read } for pid=30079 comm="net" name="krb5.keytab" dev=dm-0 ino=361813 scontext=root:system_r:samba_net_t:s0-s0:c0.c1023 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=file type=AVC msg=audit(1292852817.321:31761): avc: denied { lock } for pid=30079 comm="net" path="/etc/krb5.keytab" dev=dm-0 ino=361813 scontext=root:system_r:samba_net_t:s0-s0:c0.c1023 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=file type=AVC msg=audit(1292852817.321:31762): avc: denied { write } for pid=30079 comm="net" name="krb5.keytab" dev=dm-0 ino=361813 scontext=root:system_r:samba_net_t:s0-s0:c0.c1023 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=file type=AVC msg=audit(1292852817.329:31763): avc: denied { getattr } for pid=30079 comm="net" path="/etc/krb5.keytab" dev=dm-0 ino=361813 scontext=root:system_r:samba_net_t:s0-s0:c0.c1023 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=file type=AVC msg=audit(1292852852.671:31764): avc: denied { add_name } for pid=30091 comm="net" name="krb5.keytab" scontext=root:system_r:samba_net_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir type=AVC msg=audit(1292852852.671:31764): avc: denied { create } for pid=30091 comm="net" name="krb5.keytab" scontext=root:system_r:samba_net_t:s0-s0:c0.c1023 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=file Expected results: The 'net' command can create a kerberos keytab file. Additional info: audit2allow then produces the following: #============= samba_net_t ============== allow samba_net_t etc_t:dir add_name; allow samba_net_t krb5_keytab_t:file { read lock getattr write create };
Does samba net actually create the keytab file?
It tries but it fails to create the keytab: [root@vm104 samba]# getenforce Enforcing [root@vm104 samba]# net ads keytab create -U Administrator Administrator's password: [root@vm104 samba]# echo $? 2 [root@vm104 samba]# ls -l /etc/krb5.keytab ls: /etc/krb5.keytab: No such file or directory However, if I put it in Permissive mode, it succeeds: [root@vm104 samba]# setenforce 0 [root@vm104 samba]# net ads keytab create -U Administrator Administrator's password: [root@vm104 samba]# echo $? 0 [root@vm104 samba]# ls -l /etc/krb5.keytab -rw------- 1 root root 644 Jan 24 14:12 /etc/krb5.keytab [root@vm104 samba]# ls -lZ /etc/krb5.keytab -rw------- root root system_u:object_r:krb5_keytab_t /etc/krb5.keytab
Miroslav the Rawhide policy now supports this. Can you back port it to RHEL5 and RHEL6.
In my testing, I needed a type_transition rule also in my module to create the keytab with krb5_keytab_t type instead of etc_t: [root@vm104 keytab]# cat smbkeytab.te policy_module(smbkeytab, 1.4) require { type samba_net_t; type krb5_keytab_t; type etc_t; class dir { write add_name }; class file { write getattr read lock create }; } #============= samba_net_t ============== allow samba_net_t etc_t:dir { write add_name }; allow samba_net_t krb5_keytab_t:file { read write create getattr lock }; type_transition samba_net_t etc_t:file krb5_keytab_t; With this module, I was able to create a keytab with the net command: [root@vm104 keytab]# rm /etc/krb5.keytab [root@vm104 keytab]# net ads keytab create -U Administrator Administrator's password: [root@vm104 keytab]# ls -lZ /etc/krb5.keytab -rw------- root root root:object_r:krb5_keytab_t /etc/krb5.keytab
Nice job. The policy we added actually looks like ######################################## ## <summary> ## Create keytab file in /etc ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`kerberos_etc_filetrans_keytab',` gen_require(` type krb5_keytab_t; ') allow $1 krb5_keytab_t:file manage_file_perms; files_etc_filetrans($1, krb5_keytab_t, file) ') kerberos_etc_filetrans_keytab(samba_net_t) Which matches the policy you wrote.
Fixed in selinux-policy-2.4.6-301.el5
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-1069.html