Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-68379

SELinux policy prevents krb5kdc_t from reading directories labelled with var_t

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • rhel-9.5
    • selinux-policy
    • None
    • No
    • None
    • rhel-sst-security-selinux
    • ssg_security
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • Red Hat Enterprise Linux
    • None
    • None
    • None
    • All
    • None

      What were you trying to do that didn't work?

      I want to configure krb5kdc to check certificate revocation lists.

      $ cat /etc/krb5.conf.d/pkinit-revoke 
[realms]
IPA.ROBOTS.ORG.UK = {
  pkinit_revoke = DIR:/var/local/pki/crl
  pkinit_require_crl_checking = false
}

      With this in place, when krb5kdc starts up it tries to load CRL files from the specified directory, which is prevented by SELinux policy.

      What is the impact of this issue to you?

      Minor. As long as the user only wants to check a single CRL, pkinit_revoke = FILE:/var/local/pki/crl/ipa-ca.crl is sufficient.

      Please provide the package NVR for which the bug is seen:

      selinux-policy-38.1.45-3.el9_5.noarch

      How reproducible is this bug?:

      Very

      Steps to reproduce

      1. Create configuration file as above
      2. Create /var/local/pki/crl directory
      3. Restart krb5kdc

      Expected results

      No AVC denial and krb5kdc should start up without logging any errors.

      Actual results

      This AVC denial:

      time->Wed Nov 20 21:16:18 2024
type=PROCTITLE msg=audit(1732137378.161:404019): proctitle=2F7573722F7362696E2F6B7262356B6463002D50002F72756E2F6B7262356B64632E706964002D770032
type=SYSCALL msg=audit(1732137378.161:404019): arch=c000003e syscall=257 success=yes exit=7 a0=ffffff9c a1=555765162e74 a2=90800 a3=0 items=0 ppid=1 pid=509721 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="krb5kdc" exe="/usr/sbin/krb5kdc" subj=system_u:system_r:krb5kdc_t:s0 key=(null)
type=AVC msg=audit(1732137378.161:404019): avc:  denied  { read } for  pid=509721 comm="krb5kdc" name="crl" dev="dm-0" ino=67241970 scontext=system_u:system_r:krb5kdc_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=dir permissive=1

      And this message is logged to /var/log/krb5kdc:

      Nov 20 21:53:51 ipa4.ipa.robots.org.uk krb5kdc[511622](Error): preauth pkinit failed to initialize: PKINIT initialization failed: No such file or directory

       

              rhn-support-zpytela Zdenek Pytela
              staticyrro7 Sam Morris
              Zdenek Pytela Zdenek Pytela
              SSG Security QE SSG Security QE
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: