Problems with kerberos and SElinux

Keith Sharp kms at passback.co.uk
Fri Sep 2 15:37:20 UTC 2005 

On Fri, 2005-09-02 at 15:52 +0100, Keith Sharp wrote:
> Hello,
> 
> I am running into problem with krb5kdc and SELinux.  Version
> information:
> 
> 	selinux-policy-targeted-1.25.3-12
> 	kernel-2.6.12-1.1398_FC4
> 	krb5-server-1.4.1-5
> 
> I was working with SELinux targeted and enforcing but I was having
> problems with kadmin so I decided to disable SELinux
> using /etc/sysconfig/selinux and reboot.  This solved my kadmin problem
> so I decided to re-enable SELinux so that I could capture traces to
> raise a bug.
> 
> When I rebooted with SELinux enabled krb5kdc failed to start and I had
> the following in /var/log/audit/audit.log:
> 
> type=AVC msg=audit(1125672380.961:124865): avc:  denied  { getattr } for  pid=1836 comm="krb5kdc" name="krb5kdc_rcache" dev=dm-0 ino=552323 scontext=root:system_r:krb5kdc_t tcontext=system_u:object_r:file_t tclass=file
> type=SYSCALL msg=audit(1125672380.961:124865): arch=40000003 syscall=195 success=no exit=-13 a0=90a3af0 a1=bff5d968 a2=3a4ff4 a3=0 items=1 pid=1836 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="krb5kdc" exe="/usr/kerberos/sbin/krb5kdc"
> type=AVC_PATH msg=audit(1125672380.961:124865):  path="/var/tmp/krb5kdc_rcache"
> type=CWD msg=audit(1125672380.961:124865):  cwd="/"
> type=PATH msg=audit(1125672380.961:124865): item=0 name="/var/tmp/krb5kdc_rcache" flags=1  inode=552323 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00
> 
> and in the log /var/log/krb5kdc.log:
> 
> krb5kdc: Permission denied in replay cache code - while initializing KDC
> replay cache 'dfl:krb5kdc_rcache'
> 
> Is this a known issue, or should I Bugzilla it?

Looks like the file /var/tmp/krb5kdc_rcache doesn't have a security
context:

[root at server ~]# ls -alZ /var/tmp/
drwxrwxrwt  root     root     system_u:object_r:tmp_t          .
drwxr-xr-x  root     root     system_u:object_r:var_t          ..
-rw-------  root     root     root:object_r:kadmind_tmp_t      kadmin_0
-rw-------  root     root                                      krb5kdc_rcache

How should I go about fixing this?

Thanks,

Keith.

More information about the fedora-selinux-list mailing list