Bug 713218 - Add policy to allow kerberos kadmind to communicate with openldap via ldapi
Summary: Add policy to allow kerberos kadmind to communicate with openldap via ldapi
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-06-14 17:27 UTC by Jonathan Underwood
Modified: 2012-12-04 13:10 UTC (History)
3 users (show)

Fixed In Version: selinux-policy-3.7.19-98.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-12-06 10:08:36 UTC
Target Upstream Version:


Attachments (Terms of Use)
sample audit.log entries for kadmind (58.76 KB, text/plain)
2011-06-14 17:30 UTC, Jonathan Underwood
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:1511 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2011-12-06 00:39:17 UTC

Description Jonathan Underwood 2011-06-14 17:27:53 UTC
Description of problem:
Currently SElinux policy forbids kadmind from communicating with slapd via ldapi.

Version-Release number of selected component (if applicable):
libselinux-2.0.94-2.el6.x86_64
libselinux-utils-2.0.94-2.el6.x86_64
selinux-policy-3.7.19-54.el6_0.5.noarch
libselinux-ruby-2.0.94-2.el6.x86_64
selinux-policy-targeted-3.7.19-54.el6_0.5.noarch
krb5-server-1.8.2-3.el6_0.7.x86_64
krb5-server-ldap-1.8.2-3.el6_0.7.x86_64
krb5-workstation-1.8.2-3.el6_0.7.x86_64
krb5-libs-1.8.2-3.el6_0.7.x86_64
openldap-2.4.19-15.el6_0.2.x86_64
openldap-servers-2.4.19-15.el6_0.2.x86_64
openldap-clients-2.4.19-15.el6_0.2.x86_64


How reproducible:
Everytime

Steps to Reproduce:
1.Configure  krb5.conf such that kadmin it is communicating to a backend openldap database on same host
2. Try to start kadmin service 
3. 

Actual results:
Starting Kerberos 5 Admin Server: kadmind: Can't contact LDAP server while initializing, aborting

Expected results:
kadmin service starts

Additional info:
setenforce 0 does allow kadmin to start. Basically we need to allow kadmind to communicate with slapd via a socket (/var/run/ldapi)

Generating an selinux module with:

grep kadmin audit.log | audit2allow -M kadminldapilocal

produces the following kadminldapilocal.te

module kadminldapilocal 1.0;

require {
        type slapd_t;
        type slapd_var_run_t;
        type kadmind_t;
        class sock_file write;
        class unix_stream_socket connectto;
}

#============= kadmind_t ==============
allow kadmind_t slapd_t:unix_stream_socket connectto;
allow kadmind_t slapd_var_run_t:sock_file write;

Comment 1 Jonathan Underwood 2011-06-14 17:30:22 UTC
Created attachment 504728 [details]
sample audit.log entries for kadmind

Comment 3 Daniel Walsh 2011-06-14 20:44:04 UTC
I think this is fixed in the 6.1 policy.  I know it is in 
selinux-policy-3.7.19-98.el6  which is the preview of the 6.2 policy.

Preview available on people.redhat.com/dwalsh/SELinux/RHEL6

Comment 7 errata-xmlrpc 2011-12-06 10:08:36 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1511.html


Note You need to log in before you can comment on or make changes to this bug.