kerberos server + enforcing mode?
Robert Story
rstory at sparta.com
Wed Jul 9 21:03:21 UTC 2008
On Thu, 3 Jul 2008 14:56:11 -0400 Daniel wrote:
DJW> Robert Story wrote:
DJW> >
DJW> > I'm trying to set up a kerberos KDC on a clean up-to-date F9 box in
DJW> > enforcing mode. [...] Also, I get an error when starting krb5kdc:
DJW> >
DJW> > Starting Kerberos 5 KDC: Couldn't open log file /var/log/krb5kdc.log: Permission denied
DJW> >
DJW> > The accompanying avc is:
DJW> >
DJW> > Jul 1 18:04:55 tib kernel: type=1400 audit(1214949895.536:4): avc: denied { create } for pid=1839 comm="krb5kdc" name="krb5kdc.log" scontext=unconfined_u:system_r:krb5kdc_t:s0 tcontext=system_u:object_r:krb5kdc_log_t:s0 tclass=file
DJW> >
DJW> Seems you stumbled upon a strange avc.
DJW>
DJW> If you type
DJW>
DJW> # touch /var/log/krb5kdc.log
DJW> # restorecon /var/log/krb5kdc.log
DJW>
DJW> Then start the service, does it work?
yep.
DJW> This is a long way of saying I need to update the policy to allow
DJW> krbkdc_t to create the file.
DJW>
DJW> Fixed in selinux-policy-3.3.1-76.fc9.noarch
Ok.. while waiting for that, I used audit2allow to load the following
policy:
module mypolicy0807091636 1.0;
require {
type krb5kdc_t;
type krb5kdc_log_t;
class file { create };
}
#============= krb5kdc_t ==============
allow krb5kdc_t krb5kdc_log_t:file create;
But I'm still getting the avc.. What else is missing?
--
Robert Story
SPARTA
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20080709/8cb137b1/attachment.sig>
More information about the fedora-selinux-list
mailing list