Fixed
Created: Mar 17, 2014
Updated: Dec 3, 2018
Resolved Date: Apr 23, 2014
Found In Version: 6.0.0.4
Fix Version: 6.0.0.6
Severity: Standard
Applicable for: Wind River Linux 6
Component/s: Userspace
avc denied message : comm="kadmind" name="kadmind.log" when starting kadmind
kadmind service can be started successfully, but some avc denied message can be found in /var/log/audit/audit.log
type=AVC msg=audit(1395124861.637:73): avc: denied { append } for pid=1448 comm="kadmind" name="kadmind.log" dev="tmpfs" ino=56125 scontext=system_u:system_r:kadmind_t:s0-s15:c0.c1023 tcontext=root:object_r:var_log_t:s0 tclass=file
type=AVC msg=audit(1395124861.637:73): avc: denied { open } for pid=1448 comm="kadmind" path="/var/volatile/log/kadmind.log" dev="tmpfs" ino=56125 scontext=system_u:system_r:kadmind_t:s0-s15:c0.c1023 tcontext=root:object_r:var_log_t:s0 tclass=file
type=SYSCALL msg=audit(1395124861.637:73): arch=c000003e syscall=2 success=yes exit=3 a0=6192d5 a1=441 a2=1b6 a3=38f4a15c80 items=0 ppid=1447 pid=1448 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=1 tty=pts2 comm="kadmind" exe="/usr/sbin/kadmind" subj=system_u:system_r:kadmind_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1395124861.637:74): avc: denied { getattr } for pid=1448 comm="kadmind" path="/var/volatile/log/kadmind.log" dev="tmpfs" ino=56125 scontext=system_u:system_r:kadmind_t:s0-s15:c0.c1023 tcontext=root:object_r:var_log_t:s0 tclass=file
type=SYSCALL msg=audit(1395124861.637:74): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=7fff2d0554c0 a2=7fff2d0554c0 a3=38f4a15c80 items=0 ppid=1447 pid=1448 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=1 tty=pts2 comm="kadmind" exe="/usr/sbin/kadmind" subj=system_u:system_r:kadmind_t:s0-s15:c0.c1023 key=(null)
configure --enable-board=intel-x86-64 --enable-kernel=cgl --enable-rootfs=glibc-cgl
make fs
Boot up target with selinux enabled.
ssh to target:
$ newrole -r secadm_r -- -c "/usr/sbin/setenforce 0"
$ tail -f /var/log/audit/audit.log
Execute bellow step on terminal, then you will get the avc messages.
:/etc# vim krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
EXAMPLE.COM = {
kdc = kerberos.example.com:88
admin_server = kerberos.example.com:749
default_domain = example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
[kdc]
profile = /etc/kdc.conf
:/etc# vim kdc.conf
[kdcdefaults]
acl_file = /etc/kadm5.acl
admin_keytab = /etc/kadm5.keytab
v4_mode = nopreauth
kdc_ports = 750,88
[realms]
EXAMPLE.COM = {
master_key_type = des3-hmac-sha1
supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3
}
:/etc# vim kadm_acl
admin/admin@EXAMPLE.COM *
tester/admin@EXAMPLE.COM L
:/etc# cd
:~# kdb5_util create -r EXAMPLE.COM -s
Loading random data
Initializing database '/var/krb5kdc/principal' for realm 'EXAMPLE.COM',
master key name 'K/M@EXAMPLE.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
:~# run_init /etc/init.d/krb5-admin-server start
Authenticating root.
Password:
