Gentoo Archives: gentoo-hardened

From:	Veselin Mijuskovic <panzer@×××××××××.yu>
To:	gentoo-hardened@l.g.o
Subject:	[gentoo-hardened] SELinux - problem creating new rules for Kerberos
Date:	Wed, 18 Aug 2004 15:14:44
Message-Id:	`200408181719.43535.panzer@etf.bg.ac.yu`

1	Hi,
2
3	I'm a newbee trying to create a new rule for MIT Kerberos 5.
4	I've successfully created the krb5.te domain and I'm managing
5	to start krb5kdc and kr5kadm daemons and I can connect from
6	non-SELinux machine with kadmin to my realm hosted on the
7	SELinux machine, but I cannot do that from the SELinux machine
8	itself. Interestingly, dmesg does not produce any message
9	regarding kadmin at all, so I cannot identify what is the
10	problem. Can anybody point me to the right direction with this?
11
12	Following are my krb5.te and krb5.fc files:
13
14	krb5.te (this could probably be more concise, but it's my first :-):
15
16	# Types for the kdc ports
17	type krb5_port_t, port_type;
18	type krb5_tmp_t, file_type, sysadmfile, tmpfile;
19	# krb5_t domain
20	daemon_domain(krb5)
21	can_exec(krb5_t, { krb5_exec_t bin_t })
22	can_exec(sysadm_t, krb5_exec_t)
23
24	# allow krb5 to read /etc/kdc.conf and read,write /etc/krb5kdc
25	file_type_auto_trans(krb5_t, tmp_t, krb5_tmp_t)
26	base_file_read_access(krb5_t)
27	allow krb5_t krb5_conf_t:notdevfile_class_set { getattr read write unlink create lock };
28	allow krb5_t krb5_conf_t:dir search;
29
30	r_dir_file(krb5_t, { etc_t etc_runtime_t })
31
32	create_append_log_file(krb5_t, var_log_t)
33	allow krb5_t var_log_t:dir rw_dir_perms;
34	allow krb5_t var_log_t:file create_file_perms;
35	allow krb5_t tmp_t:dir rw_dir_perms;
36	allow krb5_t tmp_t:file { getattr read write unlink create lock };
37	allow krb5_t initrc_tmp_t:file { getattr read write unlink create lock };
38
39	# allow krb5 to read /dev/random
40	allow krb5_t random_device_t:chr_file { read getattr };
41
42	# networking setups
43	can_network(krb5_t)
44	allow krb5_t krb5_port_t:tcp_socket { name_bind create_stream_socket_perms };
45	allow krb5_t krb5_port_t:udp_socket { name_bind create_socket_perms };
46
47	allow krb5_t self:capability { net_bind_service net_admin };
48
49
50	krb5.fc:
51
52	/usr/sbin/krb5kdc -- system_u:object_r:krb5_exec_t
53	/usr/sbin/kadmind -- system_u:object_r:krb5_exec_t
54	/usr/sbin/kadmin -- system_u:object_r:krb5_exec_t
55	/etc/krb5.conf -- system_u:object_r:krb5_conf_t
56	/etc/krb5kdc(/.*) system_u:object_r:krb5_conf_t
57
58
59	ls -Z /usr/sbin/kadmin:
60
61	-rwxr-xr-x root root system_u:object_r:krb5_exec_t /usr/sbin/kadmin
62
63	root# kadmin -r ETF.BG.AC.YU -p admin/admin -s la-02.etf.bg.ac.yu:88
64	Authenticating as principal admin/admin with password.
65	kadmin: Cannot contact any KDC for requested realm while initializing kadmin interface
66
67
68	Cheers,
69	--
70	Panzer (a.k.a Veselin Mijuskovic)
71	Senior System Administrator
72	School of Electrical Engineering's Computing Centre
73	University of Belgrade, Serbia *** www.etf.bg.ac.yu
74
75	--
76	gentoo-hardened@g.o mailing list

Report Message

Find on MARC Find on Google Groups