1 |
Hi, |
2 |
|
3 |
I'm a newbee trying to create a new rule for MIT Kerberos 5. |
4 |
I've successfully created the krb5.te domain and I'm managing |
5 |
to start krb5kdc and kr5kadm daemons and I can connect from |
6 |
non-SELinux machine with kadmin to my realm hosted on the |
7 |
SELinux machine, but I cannot do that from the SELinux machine |
8 |
itself. Interestingly, dmesg does not produce any message |
9 |
regarding kadmin at all, so I cannot identify what is the |
10 |
problem. Can anybody point me to the right direction with this? |
11 |
|
12 |
Following are my krb5.te and krb5.fc files: |
13 |
|
14 |
krb5.te (this could probably be more concise, but it's my first :-): |
15 |
|
16 |
# Types for the kdc ports |
17 |
type krb5_port_t, port_type; |
18 |
type krb5_tmp_t, file_type, sysadmfile, tmpfile; |
19 |
# krb5_t domain |
20 |
daemon_domain(krb5) |
21 |
can_exec(krb5_t, { krb5_exec_t bin_t }) |
22 |
can_exec(sysadm_t, krb5_exec_t) |
23 |
|
24 |
# allow krb5 to read /etc/kdc.conf and read,write /etc/krb5kdc |
25 |
file_type_auto_trans(krb5_t, tmp_t, krb5_tmp_t) |
26 |
base_file_read_access(krb5_t) |
27 |
allow krb5_t krb5_conf_t:notdevfile_class_set { getattr read write unlink create lock }; |
28 |
allow krb5_t krb5_conf_t:dir search; |
29 |
|
30 |
r_dir_file(krb5_t, { etc_t etc_runtime_t }) |
31 |
|
32 |
create_append_log_file(krb5_t, var_log_t) |
33 |
allow krb5_t var_log_t:dir rw_dir_perms; |
34 |
allow krb5_t var_log_t:file create_file_perms; |
35 |
allow krb5_t tmp_t:dir rw_dir_perms; |
36 |
allow krb5_t tmp_t:file { getattr read write unlink create lock }; |
37 |
allow krb5_t initrc_tmp_t:file { getattr read write unlink create lock }; |
38 |
|
39 |
# allow krb5 to read /dev/random |
40 |
allow krb5_t random_device_t:chr_file { read getattr }; |
41 |
|
42 |
# networking setups |
43 |
can_network(krb5_t) |
44 |
allow krb5_t krb5_port_t:tcp_socket { name_bind create_stream_socket_perms }; |
45 |
allow krb5_t krb5_port_t:udp_socket { name_bind create_socket_perms }; |
46 |
|
47 |
allow krb5_t self:capability { net_bind_service net_admin }; |
48 |
|
49 |
|
50 |
krb5.fc: |
51 |
|
52 |
/usr/sbin/krb5kdc -- system_u:object_r:krb5_exec_t |
53 |
/usr/sbin/kadmind -- system_u:object_r:krb5_exec_t |
54 |
/usr/sbin/kadmin -- system_u:object_r:krb5_exec_t |
55 |
/etc/krb5.conf -- system_u:object_r:krb5_conf_t |
56 |
/etc/krb5kdc(/.*) system_u:object_r:krb5_conf_t |
57 |
|
58 |
|
59 |
ls -Z /usr/sbin/kadmin: |
60 |
|
61 |
-rwxr-xr-x root root system_u:object_r:krb5_exec_t /usr/sbin/kadmin |
62 |
|
63 |
root# kadmin -r ETF.BG.AC.YU -p admin/admin -s la-02.etf.bg.ac.yu:88 |
64 |
Authenticating as principal admin/admin with password. |
65 |
kadmin: Cannot contact any KDC for requested realm while initializing kadmin interface |
66 |
|
67 |
|
68 |
Cheers, |
69 |
-- |
70 |
Panzer (a.k.a Veselin Mijuskovic) |
71 |
Senior System Administrator |
72 |
School of Electrical Engineering's Computing Centre |
73 |
University of Belgrade, Serbia *** www.etf.bg.ac.yu |
74 |
|
75 |
-- |
76 |
gentoo-hardened@g.o mailing list |