Policy for Kerberos

Policy for Kerberos

[Kerry Thompson]

[-- Attachment #1: Type: text/plain, Size: 1354 bytes --]

Attached is my first cut at a policy for Kerberos. This is for the MIT
Kerberos5 software but should work fine for most for most distros with
file location tweaking.

The policy basically just supports the krb5kdc and kadmind daemons, and
most user programs such as kinit, klist, kdestroy, and kadmin. The
Kerberos release also includes telnetd, ftpd, and rlogind services which I
haven't put into this policy. The Kerberos telnetd and rlogind use their
own login program to perform ticket authentication and forwarding which
would need to be patched for SELinux support.

Rather than using telnetd/ftpd/rlogind I recommend OpenSSH instead which
is more functional and supports privsep. This policy supports the latest
OpenSSH ssh & sshd patched with GSSAPI-Kerberos support ( Simon
Wilkinson's patch ) plus the SELinux patch.

Note that something in the Kerberos library is opening config files in
read/write mode - I've blocked this with a few dontaudit rules to avoid
the noise, but it doesn't cover everything - you'll still see some write
denials here and there. I've notified the MIT Kerberos team as to the
issue, but I'm not expecting a fix any time soon.

I've also included a patch to put the Kerberos services into net_contexts.

Kerry


-- 
Kerry Thompson
Information Systems Security Consultant
http://www.crypt.gen.nz  kerry@crypt.gen.nz



[-- Attachment #2: kerberos.fc --]
[-- Type: application/octet-stream, Size: 462 bytes --]

# MIT Kerberos krbkdc, kadmind
/etc/krb5\.conf       			system_u:object_r:krb5_conf_t
/etc/krb5\.keytab       		system_u:object_r:krb5_keytab_t
/usr(/local)?/sbin/krb5kdc      	system_u:object_r:krb5kdc_exec_t
/usr(/local)?/sbin/kadmind		system_u:object_r:kadmind_exec_t
/usr/local/var/krb5kdc			system_u:object_r:krb5kdc_conf_t
/usr/local/var/krb5kdc/.*		system_u:object_r:krb5kdc_conf_t
/usr/local/var/krb5kdc/principal.*	system_u:object_r:krb5kdc_principal_t

[-- Attachment #3: kerberos.te --]
[-- Type: application/octet-stream, Size: 4586 bytes --]

#DESC Kerberos5 - MIT Kerberos5 krb5kdc and kadmind daemons
#
# includes rules for OpenSSH daemon compiled with both
# kerberos5 and SELinux supprt
#
# Not supported : telnetd, ftpd, kprop/kpropd
#
# Author:   Kerry Thompson <kerry@crypt.gen.nz>
# 
#

#################################
#
# Rules for the krb5kdc_t,kadmind_t domains.
#

type kerberos_port_t, port_type;
type kerberos_admin_port_t, port_type;
type kerberos_master_port_t, port_type;

daemon_domain(krb5kdc)
daemon_domain(kadmind)

can_exec(krb5kdc_t, krb5kdc_exec_t)
can_exec(kadmind_t, kadmind_exec_t)

# types for general configuration files in /etc
type krb5_conf_t, file_type, sysadmfile;
type krb5_keytab_t, file_type, sysadmfile;

# for KDC configs and principal file(s)
type krb5kdc_conf_t, file_type, sysadmfile;
type krb5kdc_principal_t, file_type, sysadmfile;

# Use capabilities. Surplus capabilities may be allowed.
allow krb5kdc_t krb5kdc_t:capability { setuid setgid net_bind_service chown fowner dac_override sys_nice };
allow kadmind_t kadmind_t:capability { setuid setgid net_bind_service chown fowner dac_override sys_nice };

# krb5kdc and kadmind can use network
can_network(krb5kdc_t)
can_network(kadmind_t)

# allow UDP transfer to/from any program
can_udp_send(kerberos_port_t, krb5kdc_t)
can_udp_send(krb5kdc_t, kerberos_port_t)
can_tcp_connect(kerberos_port_t, krb5kdc_t)
can_tcp_connect(kerberos_admin_port_t, kadmind_t)

# Bind to the kerberos, kerberos-adm ports.
allow krb5kdc_t kerberos_port_t:udp_socket name_bind;
allow krb5kdc_t kerberos_port_t:tcp_socket name_bind;
allow kadmind_t kerberos_admin_port_t:tcp_socket name_bind;

#
# General rules for /etc/krb5.conf
allow user_t krb5_conf_t:file { getattr ioctl read };
allow local_login_t krb5_conf_t:file { getattr ioctl read };
allow sysadm_su_t krb5_conf_t:file { getattr ioctl read };
allow user_su_t krb5_conf_t:file { getattr ioctl read };
allow run_init_t krb5_conf_t:file { getattr read };

# Something in the Kerberos5 library likes to open krb5.conf for writing
dontaudit user_t krb5_conf_t:file { write };

#
# Rules for Kerberos5 KDC daemon
allow krb5kdc_t krb5_conf_t:file { getattr read };
allow krb5kdc_t krb5kdc_conf_t:dir { search };
allow krb5kdc_t krb5kdc_conf_t:file { getattr read };
allow krb5kdc_t krb5kdc_principal_t:file { getattr lock read write };
allow krb5kdc_t locale_t:file { getattr read };
allow krb5kdc_t tmp_t:dir { add_name remove_name search write };
allow krb5kdc_t tmp_t:file { create getattr read rename unlink write };
allow krb5kdc_t var_log_t:dir { add_name search write };
allow krb5kdc_t var_log_t:file { read append create getattr };


#
# Rules for Kerberos5 Kadmin daemon
allow kadmind_t kadmind_t:unix_dgram_socket { connect create write };
allow kadmind_t krb5_conf_t:file { getattr read };
allow kadmind_t krb5kdc_conf_t:dir { search };
allow kadmind_t krb5kdc_conf_t:file { getattr lock read };
allow kadmind_t krb5kdc_principal_t:file { getattr lock read write setattr };
allow kadmind_t locale_t:file { getattr read };
allow kadmind_t tmp_t:dir { add_name remove_name search write };
allow kadmind_t tmp_t:file { create getattr read unlink write };
allow kadmind_t var_log_t:dir { add_name search write };
allow kadmind_t var_log_t:file { read append create getattr };

allow sysadm_su_t krb5kdc_t:udp_socket { recvfrom };
allow krb5kdc_t sysadm_su_t:udp_socket { recvfrom };

allow krb5kdc_t sysadm_t:udp_socket { recvfrom };
allow sysadm_t krb5kdc_t:udp_socket { recvfrom };
allow krb5kdc_t user_t:udp_socket { recvfrom };
allow user_t krb5kdc_t:udp_socket { recvfrom };
allow krb5kdc_t user_su_t:udp_socket { recvfrom };

#
# Rules for OpenSSH sshd server and ssh client compiled
# with Kerberos supprt
ifdef(`ssh.te', `
allow krb5kdc_t sshd_t:udp_socket { recvfrom };
allow sshd_t krb5kdc_t:udp_socket { recvfrom };
allow krb5kdc_t user_ssh_t:udp_socket { recvfrom };
allow user_ssh_t krb5kdc_t:udp_socket { recvfrom };
allow sshd_t krb5_conf_t:file { getattr ioctl read };
allow sshd_t krb5_keytab_t:file { lock read };
allow sysadm_ssh_t krb5_conf_t:file { getattr read };
allow user_ssh_t krb5_conf_t:file { getattr read };

# Quietly disallow write to /etc/krb5.conf
dontaudit sshd_t krb5_conf_t:file { write };
dontaudit user_ssh_t krb5_conf_t:file { write };

#
# sshd-generated kerberos credentials are stored as sshd_tmp_t
# kinit created creds are user_tmp_t
allow user_t sshd_tmp_t:file { lock read unlink };
allow user_ssh_t user_tmp_t:file { lock write };

# sshd destroys kinit-created tickets on exit
allow sshd_t user_tmp_t:file { getattr read write unlink };
')



[-- Attachment #4: net_contexts.diff --]
[-- Type: application/octet-stream, Size: 358 bytes --]

78,88d77
< #
< # Kerberos krb5kdc, kadmind
< #
< ifdef(`kerberos.te', `
< portcon udp 88 system_u:object_r:kerberos_port_t
< portcon tcp 88 system_u:object_r:kerberos_port_t
< portcon tcp 749 system_u:object_r:kerberos_admin_port_t
< portcon udp 751 system_u:object_r:kerberos_master_port_t
< portcon tcp 751 system_u:object_r:kerberos_master_port_t
< ')
< 

Re: Policy for Kerberos

[Russell Coker]

On Wed, 16 Jul 2003 09:11, Kerry Thompson wrote:
> Attached is my first cut at a policy for Kerberos. This is for the MIT
> Kerberos5 software but should work fine for most for most distros with
> file location tweaking.

# General rules for /etc/krb5.conf
allow user_t krb5_conf_t:file { getattr ioctl read };
allow local_login_t krb5_conf_t:file { getattr ioctl read };
allow sysadm_su_t krb5_conf_t:file { getattr ioctl read };
allow user_su_t krb5_conf_t:file { getattr ioctl read };
allow run_init_t krb5_conf_t:file { getattr read };

Maybe this file should be labeled etc_t as it seems to be read by the same 
programs that read /etc/passwd (presumably for the same reasons).

Also you should not specify user_t in policy, userdomain or unpriv_userdomain 
are more appropriate.

As for the user_su_t, that would require a modification to the su_macros.te 
file with an ifdef(`kerberos.te'.

allow krb5kdc_t tmp_t:dir { add_name remove_name search write };
allow krb5kdc_t tmp_t:file { create getattr read rename unlink write };

Should be:
tmp_domain(krb5kdc)

allow krb5kdc_t var_log_t:dir { add_name search write };
allow krb5kdc_t var_log_t:file { read append create getattr };

Should be:
log_domain(krb5kdc)

Same for kadmin_t, although maybe they should share a log type.

allow krb5kdc_t user_ssh_t:udp_socket { recvfrom };
allow user_ssh_t krb5kdc_t:udp_socket { recvfrom };

This needs to be in the ssh_macros.te file, otherwise it won't work for 
staff_t and other user domains.

Also do you think it would be a good idea to separate kerberos server and 
client policy?

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Policy for Kerberos

[Kerry Thompson]

[-- Attachment #1: Type: text/plain, Size: 2940 bytes --]

Thanks Russell, your help is greatly appreciated. I've made most of your
suggested fixes, and retested everything.

Russell Coker said:
>
> # General rules for /etc/krb5.conf
> allow user_t krb5_conf_t:file { getattr ioctl read };
> allow local_login_t krb5_conf_t:file { getattr ioctl read };
> allow sysadm_su_t krb5_conf_t:file { getattr ioctl read };
> allow user_su_t krb5_conf_t:file { getattr ioctl read };
> allow run_init_t krb5_conf_t:file { getattr read };
>
> Maybe this file should be labeled etc_t as it seems to be read by the
> same  programs that read /etc/passwd (presumably for the same reasons).

I initially though so too, unfortunately something in the kerberos library
likes to open the config file for writing and putting in a dontaudit for
etc_t would block too much. Using 'allow userdomain krb5_conf_t:file'
cleans this up quite well.

>
> Also you should not specify user_t in policy, userdomain or
> unpriv_userdomain  are more appropriate.

Done. Updated kerberos.te attached.

>
> As for the user_su_t, that would require a modification to the
> su_macros.te  file with an ifdef(`kerberos.te'.

Done. Patches for su_macros.te attached.

>
> allow krb5kdc_t tmp_t:dir { add_name remove_name search write };
> allow krb5kdc_t tmp_t:file { create getattr read rename unlink write };
>
> Should be:
> tmp_domain(krb5kdc)

Done.

>
> allow krb5kdc_t var_log_t:dir { add_name search write };
> allow krb5kdc_t var_log_t:file { read append create getattr };
>
> Should be:
> log_domain(krb5kdc)
>
> Same for kadmin_t, although maybe they should share a log type.

Done (although still separate log types).

>
> allow krb5kdc_t user_ssh_t:udp_socket { recvfrom };
> allow user_ssh_t krb5kdc_t:udp_socket { recvfrom };
>
> This needs to be in the ssh_macros.te file, otherwise it won't work for
> staff_t and other user domains.

Done. Patch for ssh_macros.te attached.

>
> Also do you think it would be a good idea to separate kerberos server
> and  client policy?

Maybe. I put them together because there wasn't a client/server split for
other packages in the policy base, and there's only a few simple client
rules. Also, its possible that anything using PAM could become a kerberos
client with the krb5 PAM module. The krb5 specific clients could be split
out of the policy fairly easily.

One outstanding problem is the ksu (client) program. It behaves very much
like su and sudo combined, but with kerberos-based transparent
authentication. It reads ~/.k5login and ~/.k5users from the destination
user's home directory to get authorisation rules. With the kerberos policy
at this stage it gets labelled with su_exec_t which causes it to behave
like su ( no transparent authentication and no sudo features ). I'll need
to learn a lot more about SELinux before I get ksu sorted out.

Kerry.



-- 
Kerry Thompson, CCNA CISSP
Information Systems Security Consultant
http://www.crypt.gen.nz  kerry@crypt.gen.nz




[-- Attachment #2: kerberos.fc --]
[-- Type: application/octet-stream, Size: 624 bytes --]

# MIT Kerberos krbkdc, kadmind
/etc/krb5\.conf       			system_u:object_r:krb5_conf_t
/etc/krb5\.keytab       		system_u:object_r:krb5_keytab_t
/usr(/local)?/sbin/krb5kdc      	system_u:object_r:krb5kdc_exec_t
/usr(/local)?/sbin/kadmind		system_u:object_r:kadmind_exec_t
/usr/local/var/krb5kdc			system_u:object_r:krb5kdc_conf_t
/usr/local/var/krb5kdc/.*		system_u:object_r:krb5kdc_conf_t
/usr/local/var/krb5kdc/principal.*	system_u:object_r:krb5kdc_principal_t
/var/log/krb5kdc.log			system_u:object_r:krb5kdc_log_t
/var/log/kadmind.log			system_u:object_r:kadmind_log_t
/usr(/local)?/bin/ksu			system_u:object_r:su_exec_t

[-- Attachment #3: kerberos.te --]
[-- Type: application/octet-stream, Size: 3725 bytes --]

#DESC Kerberos5 - MIT Kerberos5
# supports krb5kdc and kadmind daemons
# kinit, kdestroy, klist clients
# ksu support not complete
#
# includes rules for OpenSSH daemon compiled with both
# kerberos5 and SELinux support
#
# Not supported : telnetd, ftpd, kprop/kpropd daemons
#
# Author:   Kerry Thompson <kerry@crypt.gen.nz>
# 

#################################
#
# Rules for the krb5kdc_t,kadmind_t domains.
#
type kerberos_port_t, port_type;
type kerberos_admin_port_t, port_type;
type kerberos_master_port_t, port_type;

daemon_domain(krb5kdc)
daemon_domain(kadmind)

can_exec(krb5kdc_t, krb5kdc_exec_t)
can_exec(kadmind_t, kadmind_exec_t)

# types for general configuration files in /etc
type krb5_conf_t, file_type, sysadmfile;
type krb5_keytab_t, file_type, sysadmfile;

# types for KDC configs and principal file(s)
type krb5kdc_conf_t, file_type, sysadmfile;
type krb5kdc_principal_t, file_type, sysadmfile;

# Use capabilities. Surplus capabilities may be allowed.
allow krb5kdc_t krb5kdc_t:capability { setuid setgid net_bind_service chown fowner dac_override sys_nice };
allow kadmind_t kadmind_t:capability { setuid setgid net_bind_service chown fowner dac_override sys_nice };

# krb5kdc and kadmind can use network
can_network(krb5kdc_t)
can_network(kadmind_t)

# allow UDP transfer to/from any program
can_udp_send(kerberos_port_t, krb5kdc_t)
can_udp_send(krb5kdc_t, kerberos_port_t)
can_tcp_connect(kerberos_port_t, krb5kdc_t)
can_tcp_connect(kerberos_admin_port_t, kadmind_t)

# Bind to the kerberos, kerberos-adm ports.
allow krb5kdc_t kerberos_port_t:udp_socket name_bind;
allow krb5kdc_t kerberos_port_t:tcp_socket name_bind;
allow kadmind_t kerberos_admin_port_t:tcp_socket name_bind;

#
# General rules for /etc/krb5.conf
allow userdomain krb5_conf_t:file { getattr ioctl read };
allow local_login_t krb5_conf_t:file { getattr ioctl read };
allow run_init_t krb5_conf_t:file { getattr read };

# Something in the Kerberos5 library likes to open krb5.conf for writing
dontaudit userdomain krb5_conf_t:file { write };

#
# Rules for Kerberos5 KDC daemon
allow krb5kdc_t krb5kdc_t:unix_dgram_socket { connect create write };
allow krb5kdc_t krb5_conf_t:file { getattr read };
allow krb5kdc_t krb5kdc_conf_t:dir { search };
allow krb5kdc_t krb5kdc_conf_t:file { getattr read };
allow krb5kdc_t krb5kdc_principal_t:file { getattr lock read write };
allow krb5kdc_t locale_t:file { getattr read };
dontaudit krb5kdc_t krb5_conf_t:file { write };
dontaudit krb5kdc_t krb5kdc_conf_t:file { write };
tmp_domain(krb5kdc)
log_domain(krb5kdc)

#
# Rules for Kerberos5 Kadmin daemon
allow kadmind_t kadmind_t:unix_dgram_socket { connect create write };
allow kadmind_t krb5_conf_t:file { getattr read };
allow kadmind_t krb5kdc_conf_t:dir { search };
allow kadmind_t krb5kdc_conf_t:file { getattr lock read };
allow kadmind_t krb5kdc_principal_t:file { getattr lock read write setattr };
allow kadmind_t locale_t:file { getattr read };
dontaudit kadmind_t krb5kdc_conf_t:file { write };
tmp_domain(kadmind)
log_domain(kadmind)

#
# Allow user programs to talk to KDC
allow krb5kdc_t userdomain:udp_socket { recvfrom };
allow userdomain krb5kdc_t:udp_socket { recvfrom };

ifdef(`ssh.te', `
#
# Rules for OpenSSH sshd server and ssh client compiled
# with Kerberos support
# see also macros/program/ssh_macros.te
allow krb5kdc_t sshd_t:udp_socket { recvfrom };
allow sshd_t krb5kdc_t:udp_socket { recvfrom };
allow sshd_t krb5_conf_t:file { getattr ioctl read };
allow sshd_t krb5_keytab_t:file { lock read };
dontaudit sshd_t krb5_conf_t:file { write };

# sshd destroys kinit-created tickets on exit
allow sshd_t user_tmp_t:file { getattr read write unlink };
allow sshd_t tmp_t:file { getattr read write };
')



[-- Attachment #4: net_contexts.diff --]
[-- Type: application/octet-stream, Size: 749 bytes --]

--- net_contexts.orig	2003-07-15 16:26:00.000000000 +1200
+++ net_contexts	2003-07-15 15:48:18.000000000 +1200
@@ -75,6 +75,17 @@
 ifdef(`use_http_cache', `portcon tcp 8080  system_u:object_r:http_cache_port_t')
 ifdef(`transproxy.te', `portcon tcp 8081 system_u:object_r:transproxy_port_t')
 
+#
+# Kerberos krb5kdc, kadmind
+#
+ifdef(`kerberos.te', `
+portcon udp 88 system_u:object_r:kerberos_port_t
+portcon tcp 88 system_u:object_r:kerberos_port_t
+portcon tcp 749 system_u:object_r:kerberos_admin_port_t
+portcon udp 751 system_u:object_r:kerberos_master_port_t
+portcon tcp 751 system_u:object_r:kerberos_master_port_t
+')
+
 # Network interfaces (default = initial SID 'netif' and 'netmsg')
 #
 # interface netif_context default_msg_context

[-- Attachment #5: ssh_macros.te.diff --]
[-- Type: application/octet-stream, Size: 613 bytes --]

--- macros/program/ssh_macros.te.orig	2003-07-16 14:23:48.000000000 +1200
+++ macros/program/ssh_macros.te	2003-07-20 20:51:22.000000000 +1200
@@ -149,6 +149,16 @@
 allow $1_ssh_t xdm_xserver_tmpfs_t:file read;
 ')
 
+ifdef(`kerberos.te', `
+# Kerberos authentication for ssh
+allow krb5kdc_t $1_ssh_t:udp_socket { recvfrom };
+allow $1_ssh_t krb5kdc_t:udp_socket { recvfrom };
+allow $1_ssh_t krb5_conf_t:file { getattr read };
+dontaudit $1_ssh_t krb5_conf_t:file { write };
+allow $1_t sshd_tmp_t:file { lock read unlink };
+allow $1_ssh_t user_tmp_t:file { lock write };
+')
+
 ')dnl  end of ifdef ssh.te
 
 

[-- Attachment #6: su_macros.te.diff --]
[-- Type: application/octet-stream, Size: 784 bytes --]

--- macros/program/su_macros.te.orig	2003-07-16 14:24:53.000000000 +1200
+++ macros/program/su_macros.te	2003-07-21 10:25:03.000000000 +1200
@@ -67,6 +67,17 @@
 domain_auto_trans($1_su_t, xauth_exec_t, $1_xauth_t)
 ')
 
+# Additional rules for kerberos auth, and ksu
+ifdef(`kerberos.te', `
+allow $1_su_t krb5_conf_t:file { getattr ioctl read };
+allow $1_su_t tmp_t:dir { add_name write remove_name };
+allow $1_su_t tmp_t:file { create write setattr unlink };
+allow $1_su_t krb5kdc_t:udp_socket { recvfrom };
+allow krb5kdc_t $1_su_t:udp_socket { recvfrom };
+allow $1_su_t krb5_keytab_t:file { lock read };
+dontaudit $1_su_t krb5_conf_t:file { write };
+')
+
 # Access sshd cookie files.
 allow $1_su_t sshd_tmp_t:dir rw_dir_perms;
 allow $1_su_t sshd_tmp_t:file rw_file_perms;