[temporary solved] Part 2: LDAP/Kerberos: SELinux is screwing me up!

Daniel B. Thurman dant at cdkkt.com
Mon Dec 19 21:30:09 UTC 2005 

>From: fedora-list-bounces at redhat.com
>[mailto:fedora-list-bounces at redhat.com]On Behalf Of Daniel B. Thurman
>Sent: Monday, December 19, 2005 12:36 PM
>To: For users of Fedora Core releases
>Subject: Part 2: LDAP/Kerberos: SELinux is screwing me up!
>
>
>
>This is part #2 of my issues regarding selinux
>where a restore of my filesystem was somehow
>not getting all of the selinux attributes correct.
>
>Fortunately, my frontpage extenstions still work and for
>some reason the LDAP/Kerberos setup is now broke.
>
>Further problems reveal that my LDAP and Kerberos setup for
>SASL is no longer working.  Ugh.  I spent many weeks
>fighting this, got it working, and now it is broken again.
>
>I do recall that I used a manual setseboot command to disable
>selinux for kerberos/ldap but I cannot recall what I did, exactly
>but I tried:
>
>setsebool -P kadmind_disable_trans 1
>setsebool -P krb5kdc_disable_trans 1

OK, I have temporarily solved this issue....

1) setsebool -P slapd_disable_trans 1
2) restart ldap (/etc/init.d/ldap restart)

>
>But this apparently does not solve my issue...
>
>Please note that I ran my LDAP testing program with selinux=0
>(disabled) at boot and everything runs without errors. My
>LDAP program breaks only when selinux is active.
>
>Under selinux, LDAP with no authenication, with SSL, and with SSL
>via TLS works fine.  It is now SASL that is broken. This problem
>existed with FC4 with the original scripts starting the LDAP server,
>so I used a modified script to get SASL back to working and this
>problem/issue was not resolved or revisited in bugzilla as
>it supposedly was to be researched/resolved on by someone.
>
>It appears that slapd is trying to access /etc/krb5.conf file
>and perhaps selinux refuses to allow it.  I disabled the selinux
>in the security-policies gui on my system but this does not seem
>to have any effect.
>
>Can anyone shed some light on this?
>
>Anyway, here is what I ran and the audit results:
>
>#############################
>SASL auth, no encryption
>#############################
>ldapsearch  -H ldap://ldap.cdkkt.com/ -b dc=cdkkt,dc=com
>SASL/GSSAPI authentication started
>ldap_sasl_interactive_bind_s: Internal (implementation 
>specific) error (80)
>        additional info: SASL(-1): generic failure: GSSAPI 
>Error: Miscellaneous
>failure (Resource temporarily unavailable)
>
>DEBUG VERSION
>==============
>ldapsearch -d 1 -H ldap://ldap.cdkkt.com/ -b dc=cdkkt,dc=com
>ldap_create
>ldap_url_parse_ext(ldap://ldap.cdkkt.com/)
>ldap_pvt_sasl_getmech
>ldap_search
>put_filter: "(objectclass=*)"
>put_filter: simple
>put_simple_filter: "objectclass=*"
>ldap_send_initial_request
>ldap_new_connection
>ldap_int_open_connection
>ldap_connect_to_host: TCP ldap.cdkkt.com:389
>ldap_new_socket: 3
>ldap_prepare_socket: 3
>ldap_connect_to_host: Trying 216.99.218.205:389
>ldap_connect_timeout: fd: 3 tm: -1 async: 0
>ldap_ndelay_on: 3
>ldap_is_sock_ready: 3
>ldap_ndelay_off: 3
>ldap_open_defconn: successful
>ldap_send_server_request
>ber_flush: 64 bytes to sd 3
>ldap_result msgid 1
>ldap_chkResponseList for msgid=1, all=1
>ldap_chkResponseList returns NULL
>wait4msg (infinite timeout), msgid 1
>wait4msg continue, msgid 1, all 1
>** Connections:
>* host: ldap.cdkkt.com  port: 389  (default)
>  refcnt: 2  status: Connected
>  last used: Mon Dec 19 11:49:43 2005
>
>** Outstanding Requests:
> * msgid 1,  origid 1, status InProgress
>   outstanding referrals 0, parent count 0
>** Response Queue:
>   Empty
>ldap_chkResponseList for msgid=1, all=1
>ldap_chkResponseList returns NULL
>ldap_int_select
>read1msg: msgid 1, all 1
>ber_get_next
>ber_get_next: tag 0x30 len 46 contents:
>ldap_read: message type search-entry msgid 1, original id 1
>wait4msg continue, msgid 1, all 1
>** Connections:
>* host: ldap.cdkkt.com  port: 389  (default)
>  refcnt: 2  status: Connected
>  last used: Mon Dec 19 11:49:43 2005
>
>** Outstanding Requests:
> * msgid 1,  origid 1, status InProgress
>   outstanding referrals 0, parent count 0
>** Response Queue:
> * msgid 1,  type 100
>ldap_chkResponseList for msgid=1, all=1
>ldap_chkResponseList returns NULL
>ldap_int_select
>read1msg: msgid 1, all 1
>ber_get_next
>ber_get_next: tag 0x30 len 12 contents:
>ldap_read: message type search-result msgid 1, original id 1
>ber_scanf fmt ({iaa) ber:
>read1msg:  0 new referrals
>read1msg:  mark request completed, id = 1
>request 1 done
>res_errno: 0, res_error: <>, res_matched: <>
>ldap_free_request (origid 1, msgid 1)
>ldap_free_connection
>ldap_free_connection: refcnt 1
>adding response id 1 type 101:
>ldap_parse_result
>ber_scanf fmt ({iaa) ber:
>ber_scanf fmt (}) ber:
>ldap_get_values
>ber_scanf fmt ({x{{a) ber:
>ber_scanf fmt ([v]) ber:
>ldap_msgfree
>ldap_sasl_interactive_bind_s: server supports: GSSAPI
>ldap_int_sasl_bind: GSSAPI
>ldap_int_sasl_open: host=sysb.cdkkt.com
>SASL/GSSAPI authentication started
>ldap_sasl_bind_s
>ldap_sasl_bind
>ldap_send_initial_request
>ldap_send_server_request
>ber_flush: 556 bytes to sd 3
>ldap_result msgid 2
>ldap_chkResponseList for msgid=2, all=1
>ldap_chkResponseList returns NULL
>wait4msg (infinite timeout), msgid 2
>wait4msg continue, msgid 2, all 1
>** Connections:
>* host: ldap.cdkkt.com  port: 389  (default)
>  refcnt: 2  status: Connected
>  last used: Mon Dec 19 11:49:43 2005
>
>** Outstanding Requests:
> * msgid 2,  origid 2, status InProgress
>   outstanding referrals 0, parent count 0
>** Response Queue:
>   Empty
>ldap_chkResponseList for msgid=2, all=1
>ldap_chkResponseList returns NULL
>ldap_int_select
>read1msg: msgid 2, all 1
>ber_get_next
>ber_get_next: tag 0x30 len 109 contents:
>ldap_read: message type bind msgid 2, original id 2
>ber_scanf fmt ({iaa) ber:
>read1msg:  0 new referrals
>read1msg:  mark request completed, id = 2
>request 2 done
>res_errno: 0, res_error: <>, res_matched: <>
>ldap_free_request (origid 2, msgid 2)
>ldap_free_connection
>ldap_free_connection: refcnt 1
>ldap_parse_sasl_bind_result
>ber_scanf fmt ({iaa) ber:
>ldap_msgfree
>ldap_perror
>ldap_sasl_interactive_bind_s: Internal (implementation 
>specific) error (80)
>        additional info: SASL(-1): generic failure: GSSAPI 
>Error: Miscellaneous
>failure (Resource temporarily unavailable)
>
>Results of /var/log/audit/audit.log:
>====================================
>type=AVC msg=audit(1135018595.351:2889): avc:  denied  { 
>getattr } for  pid=25974 comm="slapd" name="krb5.conf" 
>dev=hda2 ino=1213967 scontext=root:system_r:slapd_t 
>tcontext=system_u:object_r:krb5_conf_t tclass=file
>type=SYSCALL msg=audit(1135018595.351:2889): arch=40000003 
>syscall=195 success=no exit=-13 a0=8d1d848 a1=b6011d4c 
>a2=52aff4 a3=43a70263 items=1 pid=25974 auid=4294967295 uid=55 
>gid=55 euid=55 suid=55 fsuid=55 egid=55 sgid=55 fsgid=55 
>comm="slapd" exe="/usr/sbin/slapd"
>type=AVC_PATH msg=audit(1135018595.351:2889):  path="/etc/krb5.conf"
>type=CWD msg=audit(1135018595.351:2889):  cwd="/root"
>type=PATH msg=audit(1135018595.351:2889): item=0 
>name="/etc/krb5.conf" flags=1 inode=1213967 dev=03:02 
>mode=0100644 ouid=0 ogid=0 rdev=00:00
>type=AVC msg=audit(1135018595.359:2890): avc:  denied  { 
>getattr } for  pid=25974 comm="slapd" name="krb5.conf" 
>dev=hda2 ino=1213967 scontext=root:system_r:slapd_t 
>tcontext=system_u:object_r:krb5_conf_t tclass=file
>type=SYSCALL msg=audit(1135018595.359:2890): arch=40000003 
>syscall=195 success=no exit=-13 a0=8d1d848 a1=b6011d4c 
>a2=52aff4 a3=43a70263 items=1 pid=25974 auid=4294967295 uid=55 
>gid=55 euid=55 suid=55 fsuid=55 egid=55 sgid=55 fsgid=55 
>comm="slapd" exe="/usr/sbin/slapd"
>type=AVC_PATH msg=audit(1135018595.359:2890):  path="/etc/krb5.conf"
>type=CWD msg=audit(1135018595.359:2890):  cwd="/root"
>type=PATH msg=audit(1135018595.359:2890): item=0 
>name="/etc/krb5.conf" flags=1 inode=1213967 dev=03:02 
>mode=0100644 ouid=0 ogid=0 rdev=00:00
>type=AVC msg=audit(1135018595.363:2891): avc:  denied  { 
>getattr } for  pid=25974 comm="slapd" name="krb5.conf" 
>dev=hda2 ino=1213967 scontext=root:system_r:slapd_t 
>tcontext=system_u:object_r:krb5_conf_t tclass=file
>type=SYSCALL msg=audit(1135018595.363:2891): arch=40000003 
>syscall=195 success=no exit=-13 a0=8d1d848 a1=b6013cbc 
>a2=52aff4 a3=43a70263 items=1 pid=25974 auid=4294967295 uid=55 
>gid=55 euid=55 suid=55 fsuid=55 egid=55 sgid=55 fsgid=55 
>comm="slapd" exe="/usr/sbin/slapd"
>type=AVC_PATH msg=audit(1135018595.363:2891):  path="/etc/krb5.conf"
>type=CWD msg=audit(1135018595.363:2891):  cwd="/root"
>type=PATH msg=audit(1135018595.363:2891): item=0 
>name="/etc/krb5.conf" flags=1 inode=1213967 dev=03:02 
>mode=0100644 ouid=0 ogid=0 rdev=00:00
>type=AVC msg=audit(1135018595.363:2892): avc:  denied  { 
>getattr } for  pid=25974 comm="slapd" name="krb5.conf" 
>dev=hda2 ino=1213967 scontext=root:system_r:slapd_t 
>tcontext=system_u:object_r:krb5_conf_t tclass=file
>type=SYSCALL msg=audit(1135018595.363:2892): arch=40000003 
>syscall=195 success=no exit=-13 a0=8d1d848 a1=b6013cbc 
>a2=52aff4 a3=43a70263 items=1 pid=25974 auid=4294967295 uid=55 
>gid=55 euid=55 suid=55 fsuid=55 egid=55 sgid=55 fsgid=55 
>comm="slapd" exe="/usr/sbin/slapd"
>type=AVC_PATH msg=audit(1135018595.363:2892):  path="/etc/krb5.conf"
>type=CWD msg=audit(1135018595.363:2892):  cwd="/root"
>type=PATH msg=audit(1135018595.363:2892): item=0 
>name="/etc/krb5.conf" flags=1 inode=1213967 dev=03:02 
>mode=0100644 ouid=0 ogid=0 rdev=00:00
>type=AVC msg=audit(1135018595.363:2893): avc:  denied  { lock 
>} for  pid=25974 comm="slapd" name="ldap.keytab" dev=hda2 
>ino=1214046 scontext=root:system_r:slapd_t 
>tcontext=system_u:object_r:etc_t tclass=file
>type=SYSCALL msg=audit(1135018595.363:2893): arch=40000003 
>syscall=221 success=no exit=-13 a0=e a1=e a2=b6015d34 
>a3=b6015d34 items=0 pid=25974 auid=4294967295 uid=55 gid=55 
>euid=55 suid=55 fsuid=55 egid=55 sgid=55 fsgid=55 comm="slapd" 
>exe="/usr/sbin/slapd"
>type=AVC_PATH msg=audit(1135018595.363:2893):  
>path="/etc/openldap/ldap.keytab"
>type=AVC msg=audit(1135018595.363:2894): avc:  denied  { 
>getattr } for  pid=25974 comm="slapd" name="krb5.conf" 
>dev=hda2 ino=1213967 scontext=root:system_r:slapd_t 
>tcontext=system_u:object_r:krb5_conf_t tclass=file
>type=SYSCALL msg=audit(1135018595.363:2894): arch=40000003 
>syscall=195 success=no exit=-13 a0=8d1d848 a1=b6013dcc 
>a2=52aff4 a3=43a70263 items=1 pid=25974 auid=4294967295 uid=55 
>gid=55 euid=55 suid=55 fsuid=55 egid=55 sgid=55 fsgid=55 
>comm="slapd" exe="/usr/sbin/slapd"
>type=AVC_PATH msg=audit(1135018595.363:2894):  path="/etc/krb5.conf"
>type=CWD msg=audit(1135018595.363:2894):  cwd="/root"
>type=PATH msg=audit(1135018595.363:2894): item=0 
>name="/etc/krb5.conf" flags=1 inode=1213967 dev=03:02 
>mode=0100644 ouid=0 ogid=0 rdev=00:00
>type=AVC msg=audit(1135018595.363:2895): avc:  denied  { 
>getattr } for  pid=25974 comm="slapd" name="krb5.conf" 
>dev=hda2 ino=1213967 scontext=root:system_r:slapd_t 
>tcontext=system_u:object_r:krb5_conf_t tclass=file
>type=SYSCALL msg=audit(1135018595.363:2895): arch=40000003 
>syscall=195 success=no exit=-13 a0=8d1d848 a1=b6013dcc 
>a2=52aff4 a3=43a70263 items=1 pid=25974 auid=4294967295 uid=55 
>gid=55 euid=55 suid=55 fsuid=55 egid=55 sgid=55 fsgid=55 
>comm="slapd" exe="/usr/sbin/slapd"
>type=AVC_PATH msg=audit(1135018595.363:2895):  path="/etc/krb5.conf"
>type=CWD msg=audit(1135018595.363:2895):  cwd="/root"
>type=PATH msg=audit(1135018595.363:2895): item=0 
>name="/etc/krb5.conf" flags=1 inode=1213967 dev=03:02 
>mode=0100644 ouid=0 ogid=0 rdev=00:00
>type=USER_AUTH msg=audit(1135018639.854:2896): user pid=3406 
>uid=0 auid=4294967295 msg='PAM authentication: user= 
>exe="/usr/bin/gdm-binary" (hostname=?, addr=?, terminal=:0 
>result=Authentication failure)'
>type=USER_AUTH msg=audit(1135018648.270:2897): user pid=3406 
>uid=0 auid=4294967295 msg='PAM authentication: user=root 
>exe="/usr/bin/gdm-binary" (hostname=?, addr=?, terminal=:0 
>result=Success)'
>type=USER_ACCT msg=audit(1135018648.274:2898): user pid=3406 
>uid=0 auid=4294967295 msg='PAM accounting: user=root 
>exe="/usr/bin/gdm-binary" (hostname=?, addr=?, terminal=:0 
>result=Success)'
>type=CRED_ACQ msg=audit(1135018648.302:2899): user pid=3406 
>uid=0 auid=4294967295 msg='PAM setcred: user=root 
>exe="/usr/bin/gdm-binary" (hostname=?, addr=?, terminal=:0 
>result=Success)'
>type=USER_START msg=audit(1135018648.306:2900): user pid=3406 
>uid=0 auid=4294967295 msg='PAM session open: user=root 
>exe="/usr/bin/gdm-binary" (hostname=?, addr=?, terminal=:0 
>result=Success)'
>
>Kind regards,
>Dan

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.371 / Virus Database: 267.14.1/206 - Release Date: 12/16/2005

More information about the users mailing list