970169 – SELinux policy for KDC access to OTP RADIUS

Bug 970169 - SELinux policy for KDC access to OTP RADIUS

Summary: SELinux policy for KDC access to OTP RADIUS

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	20
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-06-03 15:09 UTC by Nathaniel McCallum
Modified:	2015-02-19 10:46 UTC (History)
CC List:	8 users (show)
Fixed In Version:	selinux-policy-3.12.1-127.fc20
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-03-12 12:17:00 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Nathaniel McCallum 2013-06-03 15:09:20 UTC

The KDC gained support for forwarding OTP requests to RADIUS servers, but is currently locked down by SELinux from connecting. The full details are here: http://k5wiki.kerberos.org/wiki/Projects/OTPOverRADIUS

The short version is that access is needed to:
1. /var/kerberos/krb5kdc/*.socket
2. Local or remote RADIUS (usually udp 1812)

Comment 1 Nathaniel McCallum 2013-06-03 15:37:39 UTC

It seems that remote udp ports seem to work fine already. It is just the local unix sockets that have problems.

type=AVC msg=audit(1370273330.546:479): avc:  denied  { write } for  pid=3708 comm="krb5kdc" name="DEFAULT.socket" dev="dm-0" ino=151097 scontext=system_u:system_r:krb5kdc_t:s0 tcontext=system_u:object_r:krb5kdc_conf_t:s0 tclass=sock_file
type=AVC msg=audit(1370273330.546:479): avc:  denied  { connectto } for  pid=3708 comm="krb5kdc" path="/var/kerberos/krb5kdc/DEFAULT.socket" scontext=system_u:system_r:krb5kdc_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket

Also, this only applies to krb5kdc, not any other processes.

Comment 2 Miroslav Grepl 2013-06-04 14:40:31 UTC

What does

# ps -efZ |grep initrc

Comment 3 Nathaniel McCallum 2013-06-04 15:31:08 UTC

That is what systemd gives to the socket activated daemons it starts. In this case, it is ipa-otpd (from FreeIPA). But it could be anything in the future that wishes to provide this functionality.

Comment 4 Miroslav Grepl 2013-06-07 08:53:22 UTC

Yes, a new policy is needed for ipa-otpd.

Comment 5 Daniel Walsh 2013-06-07 20:40:43 UTC

Can't we get this socket into /run/kerberos or /run/krb5kdc?

Comment 6 Miroslav Grepl 2013-06-11 13:27:11 UTC

Yes, it would be better. Also I attached the initial policy to the ipa bug for testing.

Comment 7 Nathaniel McCallum 2013-06-13 19:41:32 UTC

Daniel, upstream is concerned that the run directory is non-standard (they support lots of operating systems). The best they could offer is that they might accept a patch which allows one to manually specify the socket directory. The KDC_DIR (/var/kerberos/krb5kdc in Fedora) is already a known entity to them and they prefer it here.

Comment 8 Miroslav Grepl 2013-06-14 06:02:55 UTC

Also there is an initial policy for testing

https://bugzilla.redhat.com/show_bug.cgi?id=970163

Comment 9 Daniel Walsh 2013-06-18 16:19:47 UTC

Well /var/run is pretty common.

I guess we could setup a symlink between /var/kerberos -> /run/kerberos and then we could maintain this and put the socket files in the correct location.

Comment 10 Miroslav Grepl 2013-12-06 20:23:06 UTC

*** Bug 970163 has been marked as a duplicate of this bug. ***

Comment 11 Nathaniel McCallum 2013-12-06 21:25:57 UTC

These are not duplicates.

#970163 requests a new policy to constrain ipa-otpd.
#970169 requests a change to the existing krb5kdc policy.

Comment 12 Nathaniel McCallum 2014-01-31 21:02:08 UTC

Miroslav, I'm still seeing the following in rawhide. Please advise.

type=AVC msg=audit(1391201510.299:407): avc:  denied  { write } for  pid=2092 comm="krb5kdc" name="DEFAULT.socket" dev="vda1" ino=1180184 scontext=system_u:system_r:krb5kdc_t:s0 tcontext=system_u:object_r:krb5kdc_conf_t:s0 tclass=sock_file

type=SYSCALL msg=audit(1391201510.299:407): arch=c000003e syscall=42 success=no exit=-13 a0=c a1=7fd5a58166b0 a2=6e a3=1350143e items=0 ppid=1 pid=2092 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="krb5kdc" exe="/usr/sbin/krb5kdc" subj=system_u:system_r:krb5kdc_t:s0 key=(null)

# ls -Z /var/kerberos/krb5kdc/DEFAULT.socket
srw-------. root root system_u:object_r:krb5kdc_conf_t:s0 /var/kerberos/krb5kdc/DEFAULT.socket

# ps auxZ | grep kdc
system_u:system_r:krb5kdc_t:s0  root      2092  0.0  0.2 224608  5320 ?        Ss   15:32   0:00 /usr/sbin/krb5kdc -P /var/run/krb5kdc.pid

Comment 13 Miroslav Grepl 2014-02-03 08:08:28 UTC

So you want us to allow it. There is no chance to do what Dan suggested in the comment #9?

Comment 14 Nathaniel McCallum 2014-02-04 20:20:06 UTC

I convinced MIT to adopt the new runstatedir convention (will be in autoconf 2.70). I made a patch to move the socket search location:
https://github.com/krb5/krb5/pull/45

If this gets merged, we can backport to krb5 in Fedora and move the FreeIPA socket.

Comment 15 Nathaniel McCallum 2014-02-06 20:15:15 UTC

While I'm working with upstream, I moved the socket manually. Here are my results on performing a request:

type=AVC msg=audit(1391716026.974:419): avc:  denied  { write } for  pid=2272 comm="krb5kdc" name="DEFAULT.socket" dev="tmpfs" ino=274575 scontext=system_u:system_r:krb5kdc_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file

type=AVC msg=audit(1391716026.974:419): avc:  denied  { connectto } for  pid=2272 comm="krb5kdc" path="/run/krb5kdc/DEFAULT.socket" scontext=system_u:system_r:krb5kdc_t:s0 tcontext=system_u:system_r:ipa_otpd_t:s0 tclass=unix_stream_socket

type=SYSCALL msg=audit(1391716026.974:419): arch=c000003e syscall=42 success=yes exit=0 a0=c a1=7f728ec838b0 a2=6e a3=7cf550eb items=0 ppid=1 pid=2272 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="krb5kdc" exe="/usr/sbin/krb5kdc" subj=system_u:system_r:krb5kdc_t:s0 key=(null)

type=SERVICE_START msg=audit(1391716026.982:420): pid=1 uid=0 auid=4294967295 ses=4294967295  subj=system_u:system_r:init_t:s0 msg=' comm="ipa-otpd@0-2272-0" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'

type=AVC msg=audit(1391716026.982:421): avc:  denied  { read } for  pid=2336 comm="ipa-otpd" name="urandom" dev="devtmpfs" ino=5023 scontext=system_u:system_r:ipa_otpd_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file

type=AVC msg=audit(1391716026.982:421): avc:  denied  { open } for  pid=2336 comm="ipa-otpd" path="/dev/urandom" dev="devtmpfs" ino=5023 scontext=system_u:system_r:ipa_otpd_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file

type=SYSCALL msg=audit(1391716026.982:421): arch=c000003e syscall=2 success=yes exit=3 a0=7f71d5e9d744 a1=0 a2=40 a3=7fff141c5c10 items=0 ppid=1 pid=2336 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ipa-otpd" exe="/usr/libexec/ipa-otpd" subj=system_u:system_r:ipa_otpd_t:s0 key=(null)

type=AVC msg=audit(1391716026.983:422): avc:  denied  { getattr } for  pid=2336 comm="ipa-otpd" path="/dev/urandom" dev="devtmpfs" ino=5023 scontext=system_u:system_r:ipa_otpd_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file

type=SYSCALL msg=audit(1391716026.983:422): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=7fff141c5e50 a2=7fff141c5e50 a3=7fff141c5c10 items=0 ppid=1 pid=2336 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ipa-otpd" exe="/usr/libexec/ipa-otpd" subj=system_u:system_r:ipa_otpd_t:s0 key=(null)

type=AVC msg=audit(1391716026.984:423): avc:  denied  { read } for  pid=2336 comm="ipa-otpd" name="resolv.conf" dev="vda1" ino=132344 scontext=system_u:system_r:ipa_otpd_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file

type=AVC msg=audit(1391716026.984:423): avc:  denied  { open } for  pid=2336 comm="ipa-otpd" path="/etc/resolv.conf" dev="vda1" ino=132344 scontext=system_u:system_r:ipa_otpd_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file

type=SYSCALL msg=audit(1391716026.984:423): arch=c000003e syscall=2 success=yes exit=6 a0=7f71d7a9f41a a1=80000 a2=1b6 a3=7fff141c5b00 items=0 ppid=1 pid=2336 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ipa-otpd" exe="/usr/libexec/ipa-otpd" subj=system_u:system_r:ipa_otpd_t:s0 key=(null)

type=AVC msg=audit(1391716026.984:424): avc:  denied  { getattr } for  pid=2336 comm="ipa-otpd" path="/etc/resolv.conf" dev="vda1" ino=132344 scontext=system_u:system_r:ipa_otpd_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file

type=SYSCALL msg=audit(1391716026.984:424): arch=c000003e syscall=5 success=yes exit=0 a0=6 a1=7fff141c39d0 a2=7fff141c39d0 a3=0 items=0 ppid=1 pid=2336 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ipa-otpd" exe="/usr/libexec/ipa-otpd" subj=system_u:system_r:ipa_otpd_t:s0 key=(null)

Comment 16 Nathaniel McCallum 2014-02-18 13:31:45 UTC

The socket directory is now moved in krb5-1.11.5-3.fc20.

Comment 17 Miroslav Grepl 2014-02-18 14:34:25 UTC

The correct labeling is comming with today's build/update.

Comment 18 Fedora Update System 2014-02-18 22:08:47 UTC

selinux-policy-3.12.1-126.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-126.fc20

Comment 19 Nathaniel McCallum 2014-02-19 17:31:36 UTC

I am still seeing this with the new build:

type=AVC msg=audit(1392830817.754:418): avc:  denied  { connectto } for  pid=3045 comm="krb5kdc" path="/run/krb5kdc/DEFAULT.socket" scontext=system_u:system_r:krb5kdc_t:s0 tcontext=system_u:system_r:ipa_otpd_t:s0 tclass=unix_stream_socket

type=SYSCALL msg=audit(1392830817.754:418): arch=c000003e syscall=42 success=yes exit=0 a0=c a1=7f000aa833d0 a2=6e a3=4314903a items=0 ppid=1 pid=3045 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="krb5kdc" exe="/usr/sbin/krb5kdc" subj=system_u:system_r:krb5kdc_t:s0 key=(null)

Comment 20 Fedora Update System 2014-02-22 00:40:53 UTC

Package selinux-policy-3.12.1-126.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-126.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-2801/selinux-policy-3.12.1-126.fc20
then log in and leave karma (feedback).

Comment 21 Nathaniel McCallum 2014-02-24 15:33:32 UTC

This does not fix my issue.

Comment 22 Fedora Update System 2014-02-26 13:48:30 UTC

Package selinux-policy-3.12.1-127.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-127.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-2801/selinux-policy-3.12.1-127.fc20
then log in and leave karma (feedback).

Comment 23 Miroslav Grepl 2014-03-03 12:11:38 UTC

commit 38d40cf021eb394f8980b7a8fc51f4ee9426a3c3
Author: Miroslav Grepl <mgrepl>
Date:   Mon Mar 3 11:39:08 2014 +0100

    Allow krb5kdc to stream connect to ipa-otpd

Comment 24 Nathaniel McCallum 2014-03-04 20:59:20 UTC

Verified: working with selinux-policy-3.12.1-127.fc20.

Comment 25 Fedora Update System 2014-03-12 12:17:00 UTC

selinux-policy-3.12.1-127.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.