I'm trying to switch a working kerberos server from targeted/enforcing
to mls/enforcing. The krb5kdc daemon start fine, but kadmin does not.
There is a single avc in the audit log:
type=AVC msg=audit(1219421464.372:719): avc: denied { getattr } for pid=2436
comm="kadmind" path="/var/tmp/kadmin_0" dev=dm-5 ino=82064
scontext=system_u:system_r:kadmind_t:s0-s15:c0.c1023
tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file
I ran this through audit2allow and loaded the module, with no luck. I
ran 'semodule -DB' to see what else was being hit and not audited, and
get quite a few more:
type=AVC msg=audit(1219421462.655:714): avc: denied { siginh } for pid=2436
comm="kadmind" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
tcontext=system_u:system_r:kadmind_t:s0-s15:c0.c1023 tclass=process
type=AVC msg=audit(1219421462.655:714): avc: denied { rlimitinh } for pid=2436
comm="kadmind" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
tcontext=system_u:system_r:kadmind_t:s0-s15:c0.c1023 tclass=process
type=AVC msg=audit(1219421462.655:714): avc: denied { noatsecure } for pid=2436
comm="kadmind" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
tcontext=system_u:system_r:kadmind_t:s0-s15:c0.c1023 tclass=process
type=SYSCALL msg=audit(1219421462.655:714): arch=14 syscall=11 success=yes exit=0
a0=100f1600 a1=100f13b0 a2=100f03d8 a3=0 items=0 ppid=2435 pid=2436 auid=0 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=5 comm="kadmind"
exe="/usr/kerberos/sbin/kadmind"
subj=system_u:system_r:kadmind_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1219421462.668:715): avc: denied { read } for pid=2436
comm="kadmind" name="config" dev=dm-5 ino=57734
scontext=system_u:system_r:kadmind_t:s0-s15:c0.c1023
tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
type=SYSCALL msg=audit(1219421462.668:715): arch=14 syscall=5 success=no exit=-13
a0=1fcdc380 a1=10000 a2=1b6 a3=0 items=0 ppid=2435 pid=2436 auid=0 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=5 comm="kadmind"
exe="/usr/kerberos/sbin/kadmind"
subj=system_u:system_r:kadmind_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1219421462.670:716): avc: denied { write } for pid=2436
comm="kadmind" name="kdc.conf" dev=dm-5 ino=82034
scontext=system_u:system_r:kadmind_t:s0-s15:c0.c1023
tcontext=system_u:object_r:krb5kdc_conf_t:s0 tclass=file
type=SYSCALL msg=audit(1219421462.670:716): arch=14 syscall=33 success=no exit=-13
a0=20020c30 a1=2 a2=1b6 a3=0 items=0 ppid=2435 pid=2436 auid=0 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=5 comm="kadmind"
exe="/usr/kerberos/sbin/kadmind"
subj=system_u:system_r:kadmind_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1219421462.671:717): avc: denied { write } for pid=2436
comm="kadmind" name="krb5.conf" dev=dm-5 ino=378227
scontext=system_u:system_r:kadmind_t:s0-s15:c0.c1023
tcontext=system_u:object_r:krb5_conf_t:s0 tclass=file
type=SYSCALL msg=audit(1219421462.671:717): arch=14 syscall=33 success=no exit=-13
a0=20020d20 a1=2 a2=1b6 a3=0 items=0 ppid=2435 pid=2436 auid=0 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=5 comm="kadmind"
exe="/usr/kerberos/sbin/kadmind"
subj=system_u:system_r:kadmind_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1219421464.369:718): avc: denied { name_bind } for pid=2436
comm="kadmind" src=916 scontext=system_u:system_r:kadmind_t:s0-s15:c0.c1023
tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1219421464.369:718): arch=14 syscall=102 success=no exit=-13 a0=2
a1=bfb6c484 a2=10 a3=bfb6c5dc items=0 ppid=2435 pid=2436 auid=0 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=5 comm="kadmind"
exe="/usr/kerberos/sbin/kadmind"
subj=system_u:system_r:kadmind_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1219421464.372:719): avc: denied { getattr } for pid=2436
comm="kadmind" path="/var/tmp/kadmin_0" dev=dm-5 ino=82064
scontext=system_u:system_r:kadmind_t:s0-s15:c0.c1023
tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file
type=SYSCALL msg=audit(1219421464.372:719): arch=14 syscall=195 success=no exit=-13
a0=203136c0 a1=bfb6c120 a2=bfb6c120 a3=0 items=0 ppid=2435 pid=2436 auid=0 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=5 comm="kadmind"
exe="/usr/kerberos/sbin/kadmind"
subj=system_u:system_r:kadmind_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1219421464.405:720): avc: denied { getattr } for pid=2436
comm="kadmind" path="/var/tmp/kadmin_0" dev=dm-5 ino=82064
scontext=system_u:system_r:kadmind_t:s0-s15:c0.c1023
tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file
type=SYSCALL msg=audit(1219421464.405:720): arch=14 syscall=195 success=no exit=-13
a0=20409ad8 a1=bfb6c120 a2=bfb6c120 a3=0 items=0 ppid=2435 pid=2436 auid=0 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=5 comm="kadmind"
exe="/usr/kerberos/sbin/kadmind"
subj=system_u:system_r:kadmind_t:s0-s15:c0.c1023 key=(null)
running this through audit2allow and loading the module doesn't help
either... What can I try next?
--
Robert Story
SPARTA
Show replies by date