The KDC gained support for forwarding OTP requests to RADIUS servers, but is currently locked down by SELinux from connecting. The full details are here: http://k5wiki.kerberos.org/wiki/Projects/OTPOverRADIUS The short version is that access is needed to: 1. /var/kerberos/krb5kdc/*.socket 2. Local or remote RADIUS (usually udp 1812)
It seems that remote udp ports seem to work fine already. It is just the local unix sockets that have problems. type=AVC msg=audit(1370273330.546:479): avc: denied { write } for pid=3708 comm="krb5kdc" name="DEFAULT.socket" dev="dm-0" ino=151097 scontext=system_u:system_r:krb5kdc_t:s0 tcontext=system_u:object_r:krb5kdc_conf_t:s0 tclass=sock_file type=AVC msg=audit(1370273330.546:479): avc: denied { connectto } for pid=3708 comm="krb5kdc" path="/var/kerberos/krb5kdc/DEFAULT.socket" scontext=system_u:system_r:krb5kdc_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket Also, this only applies to krb5kdc, not any other processes.
What does # ps -efZ |grep initrc
That is what systemd gives to the socket activated daemons it starts. In this case, it is ipa-otpd (from FreeIPA). But it could be anything in the future that wishes to provide this functionality.
Yes, a new policy is needed for ipa-otpd.
Can't we get this socket into /run/kerberos or /run/krb5kdc?
Yes, it would be better. Also I attached the initial policy to the ipa bug for testing.
Daniel, upstream is concerned that the run directory is non-standard (they support lots of operating systems). The best they could offer is that they might accept a patch which allows one to manually specify the socket directory. The KDC_DIR (/var/kerberos/krb5kdc in Fedora) is already a known entity to them and they prefer it here.
Also there is an initial policy for testing https://bugzilla.redhat.com/show_bug.cgi?id=970163
Well /var/run is pretty common. I guess we could setup a symlink between /var/kerberos -> /run/kerberos and then we could maintain this and put the socket files in the correct location.
*** Bug 970163 has been marked as a duplicate of this bug. ***
These are not duplicates. #970163 requests a new policy to constrain ipa-otpd. #970169 requests a change to the existing krb5kdc policy.
Miroslav, I'm still seeing the following in rawhide. Please advise. type=AVC msg=audit(1391201510.299:407): avc: denied { write } for pid=2092 comm="krb5kdc" name="DEFAULT.socket" dev="vda1" ino=1180184 scontext=system_u:system_r:krb5kdc_t:s0 tcontext=system_u:object_r:krb5kdc_conf_t:s0 tclass=sock_file type=SYSCALL msg=audit(1391201510.299:407): arch=c000003e syscall=42 success=no exit=-13 a0=c a1=7fd5a58166b0 a2=6e a3=1350143e items=0 ppid=1 pid=2092 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="krb5kdc" exe="/usr/sbin/krb5kdc" subj=system_u:system_r:krb5kdc_t:s0 key=(null) # ls -Z /var/kerberos/krb5kdc/DEFAULT.socket srw-------. root root system_u:object_r:krb5kdc_conf_t:s0 /var/kerberos/krb5kdc/DEFAULT.socket # ps auxZ | grep kdc system_u:system_r:krb5kdc_t:s0 root 2092 0.0 0.2 224608 5320 ? Ss 15:32 0:00 /usr/sbin/krb5kdc -P /var/run/krb5kdc.pid
So you want us to allow it. There is no chance to do what Dan suggested in the comment #9?
I convinced MIT to adopt the new runstatedir convention (will be in autoconf 2.70). I made a patch to move the socket search location: https://github.com/krb5/krb5/pull/45 If this gets merged, we can backport to krb5 in Fedora and move the FreeIPA socket.
While I'm working with upstream, I moved the socket manually. Here are my results on performing a request: type=AVC msg=audit(1391716026.974:419): avc: denied { write } for pid=2272 comm="krb5kdc" name="DEFAULT.socket" dev="tmpfs" ino=274575 scontext=system_u:system_r:krb5kdc_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file type=AVC msg=audit(1391716026.974:419): avc: denied { connectto } for pid=2272 comm="krb5kdc" path="/run/krb5kdc/DEFAULT.socket" scontext=system_u:system_r:krb5kdc_t:s0 tcontext=system_u:system_r:ipa_otpd_t:s0 tclass=unix_stream_socket type=SYSCALL msg=audit(1391716026.974:419): arch=c000003e syscall=42 success=yes exit=0 a0=c a1=7f728ec838b0 a2=6e a3=7cf550eb items=0 ppid=1 pid=2272 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="krb5kdc" exe="/usr/sbin/krb5kdc" subj=system_u:system_r:krb5kdc_t:s0 key=(null) type=SERVICE_START msg=audit(1391716026.982:420): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="ipa-otpd@0-2272-0" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' type=AVC msg=audit(1391716026.982:421): avc: denied { read } for pid=2336 comm="ipa-otpd" name="urandom" dev="devtmpfs" ino=5023 scontext=system_u:system_r:ipa_otpd_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file type=AVC msg=audit(1391716026.982:421): avc: denied { open } for pid=2336 comm="ipa-otpd" path="/dev/urandom" dev="devtmpfs" ino=5023 scontext=system_u:system_r:ipa_otpd_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file type=SYSCALL msg=audit(1391716026.982:421): arch=c000003e syscall=2 success=yes exit=3 a0=7f71d5e9d744 a1=0 a2=40 a3=7fff141c5c10 items=0 ppid=1 pid=2336 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ipa-otpd" exe="/usr/libexec/ipa-otpd" subj=system_u:system_r:ipa_otpd_t:s0 key=(null) type=AVC msg=audit(1391716026.983:422): avc: denied { getattr } for pid=2336 comm="ipa-otpd" path="/dev/urandom" dev="devtmpfs" ino=5023 scontext=system_u:system_r:ipa_otpd_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file type=SYSCALL msg=audit(1391716026.983:422): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=7fff141c5e50 a2=7fff141c5e50 a3=7fff141c5c10 items=0 ppid=1 pid=2336 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ipa-otpd" exe="/usr/libexec/ipa-otpd" subj=system_u:system_r:ipa_otpd_t:s0 key=(null) type=AVC msg=audit(1391716026.984:423): avc: denied { read } for pid=2336 comm="ipa-otpd" name="resolv.conf" dev="vda1" ino=132344 scontext=system_u:system_r:ipa_otpd_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file type=AVC msg=audit(1391716026.984:423): avc: denied { open } for pid=2336 comm="ipa-otpd" path="/etc/resolv.conf" dev="vda1" ino=132344 scontext=system_u:system_r:ipa_otpd_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file type=SYSCALL msg=audit(1391716026.984:423): arch=c000003e syscall=2 success=yes exit=6 a0=7f71d7a9f41a a1=80000 a2=1b6 a3=7fff141c5b00 items=0 ppid=1 pid=2336 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ipa-otpd" exe="/usr/libexec/ipa-otpd" subj=system_u:system_r:ipa_otpd_t:s0 key=(null) type=AVC msg=audit(1391716026.984:424): avc: denied { getattr } for pid=2336 comm="ipa-otpd" path="/etc/resolv.conf" dev="vda1" ino=132344 scontext=system_u:system_r:ipa_otpd_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file type=SYSCALL msg=audit(1391716026.984:424): arch=c000003e syscall=5 success=yes exit=0 a0=6 a1=7fff141c39d0 a2=7fff141c39d0 a3=0 items=0 ppid=1 pid=2336 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ipa-otpd" exe="/usr/libexec/ipa-otpd" subj=system_u:system_r:ipa_otpd_t:s0 key=(null)
The socket directory is now moved in krb5-1.11.5-3.fc20.
The correct labeling is comming with today's build/update.
selinux-policy-3.12.1-126.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-126.fc20
I am still seeing this with the new build: type=AVC msg=audit(1392830817.754:418): avc: denied { connectto } for pid=3045 comm="krb5kdc" path="/run/krb5kdc/DEFAULT.socket" scontext=system_u:system_r:krb5kdc_t:s0 tcontext=system_u:system_r:ipa_otpd_t:s0 tclass=unix_stream_socket type=SYSCALL msg=audit(1392830817.754:418): arch=c000003e syscall=42 success=yes exit=0 a0=c a1=7f000aa833d0 a2=6e a3=4314903a items=0 ppid=1 pid=3045 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="krb5kdc" exe="/usr/sbin/krb5kdc" subj=system_u:system_r:krb5kdc_t:s0 key=(null)
Package selinux-policy-3.12.1-126.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-126.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-2801/selinux-policy-3.12.1-126.fc20 then log in and leave karma (feedback).
This does not fix my issue.
Package selinux-policy-3.12.1-127.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-127.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-2801/selinux-policy-3.12.1-127.fc20 then log in and leave karma (feedback).
commit 38d40cf021eb394f8980b7a8fc51f4ee9426a3c3 Author: Miroslav Grepl <mgrepl> Date: Mon Mar 3 11:39:08 2014 +0100 Allow krb5kdc to stream connect to ipa-otpd
Verified: working with selinux-policy-3.12.1-127.fc20.
selinux-policy-3.12.1-127.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.