>From: fedora-list-bounces@xxxxxxxxxx >[mailto:fedora-list-bounces@xxxxxxxxxx]On Behalf Of Daniel B. Thurman >Sent: Monday, December 19, 2005 12:36 PM >To: For users of Fedora Core releases >Subject: Part 2: LDAP/Kerberos: SELinux is screwing me up! > > > >This is part #2 of my issues regarding selinux >where a restore of my filesystem was somehow >not getting all of the selinux attributes correct. > >Fortunately, my frontpage extenstions still work and for >some reason the LDAP/Kerberos setup is now broke. > >Further problems reveal that my LDAP and Kerberos setup for >SASL is no longer working. Ugh. I spent many weeks >fighting this, got it working, and now it is broken again. > >I do recall that I used a manual setseboot command to disable >selinux for kerberos/ldap but I cannot recall what I did, exactly >but I tried: > >setsebool -P kadmind_disable_trans 1 >setsebool -P krb5kdc_disable_trans 1 OK, I have temporarily solved this issue.... 1) setsebool -P slapd_disable_trans 1 2) restart ldap (/etc/init.d/ldap restart) > >But this apparently does not solve my issue... > >Please note that I ran my LDAP testing program with selinux=0 >(disabled) at boot and everything runs without errors. My >LDAP program breaks only when selinux is active. > >Under selinux, LDAP with no authenication, with SSL, and with SSL >via TLS works fine. It is now SASL that is broken. This problem >existed with FC4 with the original scripts starting the LDAP server, >so I used a modified script to get SASL back to working and this >problem/issue was not resolved or revisited in bugzilla as >it supposedly was to be researched/resolved on by someone. > >It appears that slapd is trying to access /etc/krb5.conf file >and perhaps selinux refuses to allow it. I disabled the selinux >in the security-policies gui on my system but this does not seem >to have any effect. > >Can anyone shed some light on this? > >Anyway, here is what I ran and the audit results: > >############################# >SASL auth, no encryption >############################# >ldapsearch -H ldap://ldap.cdkkt.com/ -b dc=cdkkt,dc=com >SASL/GSSAPI authentication started >ldap_sasl_interactive_bind_s: Internal (implementation >specific) error (80) > additional info: SASL(-1): generic failure: GSSAPI >Error: Miscellaneous >failure (Resource temporarily unavailable) > >DEBUG VERSION >============== >ldapsearch -d 1 -H ldap://ldap.cdkkt.com/ -b dc=cdkkt,dc=com >ldap_create >ldap_url_parse_ext(ldap://ldap.cdkkt.com/) >ldap_pvt_sasl_getmech >ldap_search >put_filter: "(objectclass=*)" >put_filter: simple >put_simple_filter: "objectclass=*" >ldap_send_initial_request >ldap_new_connection >ldap_int_open_connection >ldap_connect_to_host: TCP ldap.cdkkt.com:389 >ldap_new_socket: 3 >ldap_prepare_socket: 3 >ldap_connect_to_host: Trying 216.99.218.205:389 >ldap_connect_timeout: fd: 3 tm: -1 async: 0 >ldap_ndelay_on: 3 >ldap_is_sock_ready: 3 >ldap_ndelay_off: 3 >ldap_open_defconn: successful >ldap_send_server_request >ber_flush: 64 bytes to sd 3 >ldap_result msgid 1 >ldap_chkResponseList for msgid=1, all=1 >ldap_chkResponseList returns NULL >wait4msg (infinite timeout), msgid 1 >wait4msg continue, msgid 1, all 1 >** Connections: >* host: ldap.cdkkt.com port: 389 (default) > refcnt: 2 status: Connected > last used: Mon Dec 19 11:49:43 2005 > >** Outstanding Requests: > * msgid 1, origid 1, status InProgress > outstanding referrals 0, parent count 0 >** Response Queue: > Empty >ldap_chkResponseList for msgid=1, all=1 >ldap_chkResponseList returns NULL >ldap_int_select >read1msg: msgid 1, all 1 >ber_get_next >ber_get_next: tag 0x30 len 46 contents: >ldap_read: message type search-entry msgid 1, original id 1 >wait4msg continue, msgid 1, all 1 >** Connections: >* host: ldap.cdkkt.com port: 389 (default) > refcnt: 2 status: Connected > last used: Mon Dec 19 11:49:43 2005 > >** Outstanding Requests: > * msgid 1, origid 1, status InProgress > outstanding referrals 0, parent count 0 >** Response Queue: > * msgid 1, type 100 >ldap_chkResponseList for msgid=1, all=1 >ldap_chkResponseList returns NULL >ldap_int_select >read1msg: msgid 1, all 1 >ber_get_next >ber_get_next: tag 0x30 len 12 contents: >ldap_read: message type search-result msgid 1, original id 1 >ber_scanf fmt ({iaa) ber: >read1msg: 0 new referrals >read1msg: mark request completed, id = 1 >request 1 done >res_errno: 0, res_error: <>, res_matched: <> >ldap_free_request (origid 1, msgid 1) >ldap_free_connection >ldap_free_connection: refcnt 1 >adding response id 1 type 101: >ldap_parse_result >ber_scanf fmt ({iaa) ber: >ber_scanf fmt (}) ber: >ldap_get_values >ber_scanf fmt ({x{{a) ber: >ber_scanf fmt ([v]) ber: >ldap_msgfree >ldap_sasl_interactive_bind_s: server supports: GSSAPI >ldap_int_sasl_bind: GSSAPI >ldap_int_sasl_open: host=sysb.cdkkt.com >SASL/GSSAPI authentication started >ldap_sasl_bind_s >ldap_sasl_bind >ldap_send_initial_request >ldap_send_server_request >ber_flush: 556 bytes to sd 3 >ldap_result msgid 2 >ldap_chkResponseList for msgid=2, all=1 >ldap_chkResponseList returns NULL >wait4msg (infinite timeout), msgid 2 >wait4msg continue, msgid 2, all 1 >** Connections: >* host: ldap.cdkkt.com port: 389 (default) > refcnt: 2 status: Connected > last used: Mon Dec 19 11:49:43 2005 > >** Outstanding Requests: > * msgid 2, origid 2, status InProgress > outstanding referrals 0, parent count 0 >** Response Queue: > Empty >ldap_chkResponseList for msgid=2, all=1 >ldap_chkResponseList returns NULL >ldap_int_select >read1msg: msgid 2, all 1 >ber_get_next >ber_get_next: tag 0x30 len 109 contents: >ldap_read: message type bind msgid 2, original id 2 >ber_scanf fmt ({iaa) ber: >read1msg: 0 new referrals >read1msg: mark request completed, id = 2 >request 2 done >res_errno: 0, res_error: <>, res_matched: <> >ldap_free_request (origid 2, msgid 2) >ldap_free_connection >ldap_free_connection: refcnt 1 >ldap_parse_sasl_bind_result >ber_scanf fmt ({iaa) ber: >ldap_msgfree >ldap_perror >ldap_sasl_interactive_bind_s: Internal (implementation >specific) error (80) > additional info: SASL(-1): generic failure: GSSAPI >Error: Miscellaneous >failure (Resource temporarily unavailable) > >Results of /var/log/audit/audit.log: >==================================== >type=AVC msg=audit(1135018595.351:2889): avc: denied { >getattr } for pid=25974 comm="slapd" name="krb5.conf" >dev=hda2 ino=1213967 scontext=root:system_r:slapd_t >tcontext=system_u:object_r:krb5_conf_t tclass=file >type=SYSCALL msg=audit(1135018595.351:2889): arch=40000003 >syscall=195 success=no exit=-13 a0=8d1d848 a1=b6011d4c >a2=52aff4 a3=43a70263 items=1 pid=25974 auid=4294967295 uid=55 >gid=55 euid=55 suid=55 fsuid=55 egid=55 sgid=55 fsgid=55 >comm="slapd" exe="/usr/sbin/slapd" >type=AVC_PATH msg=audit(1135018595.351:2889): path="/etc/krb5.conf" >type=CWD msg=audit(1135018595.351:2889): cwd="/root" >type=PATH msg=audit(1135018595.351:2889): item=0 >name="/etc/krb5.conf" flags=1 inode=1213967 dev=03:02 >mode=0100644 ouid=0 ogid=0 rdev=00:00 >type=AVC msg=audit(1135018595.359:2890): avc: denied { >getattr } for pid=25974 comm="slapd" name="krb5.conf" >dev=hda2 ino=1213967 scontext=root:system_r:slapd_t >tcontext=system_u:object_r:krb5_conf_t tclass=file >type=SYSCALL msg=audit(1135018595.359:2890): arch=40000003 >syscall=195 success=no exit=-13 a0=8d1d848 a1=b6011d4c >a2=52aff4 a3=43a70263 items=1 pid=25974 auid=4294967295 uid=55 >gid=55 euid=55 suid=55 fsuid=55 egid=55 sgid=55 fsgid=55 >comm="slapd" exe="/usr/sbin/slapd" >type=AVC_PATH msg=audit(1135018595.359:2890): path="/etc/krb5.conf" >type=CWD msg=audit(1135018595.359:2890): cwd="/root" >type=PATH msg=audit(1135018595.359:2890): item=0 >name="/etc/krb5.conf" flags=1 inode=1213967 dev=03:02 >mode=0100644 ouid=0 ogid=0 rdev=00:00 >type=AVC msg=audit(1135018595.363:2891): avc: denied { >getattr } for pid=25974 comm="slapd" name="krb5.conf" >dev=hda2 ino=1213967 scontext=root:system_r:slapd_t >tcontext=system_u:object_r:krb5_conf_t tclass=file >type=SYSCALL msg=audit(1135018595.363:2891): arch=40000003 >syscall=195 success=no exit=-13 a0=8d1d848 a1=b6013cbc >a2=52aff4 a3=43a70263 items=1 pid=25974 auid=4294967295 uid=55 >gid=55 euid=55 suid=55 fsuid=55 egid=55 sgid=55 fsgid=55 >comm="slapd" exe="/usr/sbin/slapd" >type=AVC_PATH msg=audit(1135018595.363:2891): path="/etc/krb5.conf" >type=CWD msg=audit(1135018595.363:2891): cwd="/root" >type=PATH msg=audit(1135018595.363:2891): item=0 >name="/etc/krb5.conf" flags=1 inode=1213967 dev=03:02 >mode=0100644 ouid=0 ogid=0 rdev=00:00 >type=AVC msg=audit(1135018595.363:2892): avc: denied { >getattr } for pid=25974 comm="slapd" name="krb5.conf" >dev=hda2 ino=1213967 scontext=root:system_r:slapd_t >tcontext=system_u:object_r:krb5_conf_t tclass=file >type=SYSCALL msg=audit(1135018595.363:2892): arch=40000003 >syscall=195 success=no exit=-13 a0=8d1d848 a1=b6013cbc >a2=52aff4 a3=43a70263 items=1 pid=25974 auid=4294967295 uid=55 >gid=55 euid=55 suid=55 fsuid=55 egid=55 sgid=55 fsgid=55 >comm="slapd" exe="/usr/sbin/slapd" >type=AVC_PATH msg=audit(1135018595.363:2892): path="/etc/krb5.conf" >type=CWD msg=audit(1135018595.363:2892): cwd="/root" >type=PATH msg=audit(1135018595.363:2892): item=0 >name="/etc/krb5.conf" flags=1 inode=1213967 dev=03:02 >mode=0100644 ouid=0 ogid=0 rdev=00:00 >type=AVC msg=audit(1135018595.363:2893): avc: denied { lock >} for pid=25974 comm="slapd" name="ldap.keytab" dev=hda2 >ino=1214046 scontext=root:system_r:slapd_t >tcontext=system_u:object_r:etc_t tclass=file >type=SYSCALL msg=audit(1135018595.363:2893): arch=40000003 >syscall=221 success=no exit=-13 a0=e a1=e a2=b6015d34 >a3=b6015d34 items=0 pid=25974 auid=4294967295 uid=55 gid=55 >euid=55 suid=55 fsuid=55 egid=55 sgid=55 fsgid=55 comm="slapd" >exe="/usr/sbin/slapd" >type=AVC_PATH msg=audit(1135018595.363:2893): >path="/etc/openldap/ldap.keytab" >type=AVC msg=audit(1135018595.363:2894): avc: denied { >getattr } for pid=25974 comm="slapd" name="krb5.conf" >dev=hda2 ino=1213967 scontext=root:system_r:slapd_t >tcontext=system_u:object_r:krb5_conf_t tclass=file >type=SYSCALL msg=audit(1135018595.363:2894): arch=40000003 >syscall=195 success=no exit=-13 a0=8d1d848 a1=b6013dcc >a2=52aff4 a3=43a70263 items=1 pid=25974 auid=4294967295 uid=55 >gid=55 euid=55 suid=55 fsuid=55 egid=55 sgid=55 fsgid=55 >comm="slapd" exe="/usr/sbin/slapd" >type=AVC_PATH msg=audit(1135018595.363:2894): path="/etc/krb5.conf" >type=CWD msg=audit(1135018595.363:2894): cwd="/root" >type=PATH msg=audit(1135018595.363:2894): item=0 >name="/etc/krb5.conf" flags=1 inode=1213967 dev=03:02 >mode=0100644 ouid=0 ogid=0 rdev=00:00 >type=AVC msg=audit(1135018595.363:2895): avc: denied { >getattr } for pid=25974 comm="slapd" name="krb5.conf" >dev=hda2 ino=1213967 scontext=root:system_r:slapd_t >tcontext=system_u:object_r:krb5_conf_t tclass=file >type=SYSCALL msg=audit(1135018595.363:2895): arch=40000003 >syscall=195 success=no exit=-13 a0=8d1d848 a1=b6013dcc >a2=52aff4 a3=43a70263 items=1 pid=25974 auid=4294967295 uid=55 >gid=55 euid=55 suid=55 fsuid=55 egid=55 sgid=55 fsgid=55 >comm="slapd" exe="/usr/sbin/slapd" >type=AVC_PATH msg=audit(1135018595.363:2895): path="/etc/krb5.conf" >type=CWD msg=audit(1135018595.363:2895): cwd="/root" >type=PATH msg=audit(1135018595.363:2895): item=0 >name="/etc/krb5.conf" flags=1 inode=1213967 dev=03:02 >mode=0100644 ouid=0 ogid=0 rdev=00:00 >type=USER_AUTH msg=audit(1135018639.854:2896): user pid=3406 >uid=0 auid=4294967295 msg='PAM authentication: user= >exe="/usr/bin/gdm-binary" (hostname=?, addr=?, terminal=:0 >result=Authentication failure)' >type=USER_AUTH msg=audit(1135018648.270:2897): user pid=3406 >uid=0 auid=4294967295 msg='PAM authentication: user=root >exe="/usr/bin/gdm-binary" (hostname=?, addr=?, terminal=:0 >result=Success)' >type=USER_ACCT msg=audit(1135018648.274:2898): user pid=3406 >uid=0 auid=4294967295 msg='PAM accounting: user=root >exe="/usr/bin/gdm-binary" (hostname=?, addr=?, terminal=:0 >result=Success)' >type=CRED_ACQ msg=audit(1135018648.302:2899): user pid=3406 >uid=0 auid=4294967295 msg='PAM setcred: user=root >exe="/usr/bin/gdm-binary" (hostname=?, addr=?, terminal=:0 >result=Success)' >type=USER_START msg=audit(1135018648.306:2900): user pid=3406 >uid=0 auid=4294967295 msg='PAM session open: user=root >exe="/usr/bin/gdm-binary" (hostname=?, addr=?, terminal=:0 >result=Success)' > >Kind regards, >Dan -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.371 / Virus Database: 267.14.1/206 - Release Date: 12/16/2005
