Problems with kerberos and SElinux
Keith Sharp
kms at passback.co.uk
Fri Sep 2 15:37:20 UTC 2005
On Fri, 2005-09-02 at 15:52 +0100, Keith Sharp wrote:
> Hello,
>
> I am running into problem with krb5kdc and SELinux. Version
> information:
>
> selinux-policy-targeted-1.25.3-12
> kernel-2.6.12-1.1398_FC4
> krb5-server-1.4.1-5
>
> I was working with SELinux targeted and enforcing but I was having
> problems with kadmin so I decided to disable SELinux
> using /etc/sysconfig/selinux and reboot. This solved my kadmin problem
> so I decided to re-enable SELinux so that I could capture traces to
> raise a bug.
>
> When I rebooted with SELinux enabled krb5kdc failed to start and I had
> the following in /var/log/audit/audit.log:
>
> type=AVC msg=audit(1125672380.961:124865): avc: denied { getattr } for pid=1836 comm="krb5kdc" name="krb5kdc_rcache" dev=dm-0 ino=552323 scontext=root:system_r:krb5kdc_t tcontext=system_u:object_r:file_t tclass=file
> type=SYSCALL msg=audit(1125672380.961:124865): arch=40000003 syscall=195 success=no exit=-13 a0=90a3af0 a1=bff5d968 a2=3a4ff4 a3=0 items=1 pid=1836 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="krb5kdc" exe="/usr/kerberos/sbin/krb5kdc"
> type=AVC_PATH msg=audit(1125672380.961:124865): path="/var/tmp/krb5kdc_rcache"
> type=CWD msg=audit(1125672380.961:124865): cwd="/"
> type=PATH msg=audit(1125672380.961:124865): item=0 name="/var/tmp/krb5kdc_rcache" flags=1 inode=552323 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00
>
> and in the log /var/log/krb5kdc.log:
>
> krb5kdc: Permission denied in replay cache code - while initializing KDC
> replay cache 'dfl:krb5kdc_rcache'
>
> Is this a known issue, or should I Bugzilla it?
Looks like the file /var/tmp/krb5kdc_rcache doesn't have a security
context:
[root at server ~]# ls -alZ /var/tmp/
drwxrwxrwt root root system_u:object_r:tmp_t .
drwxr-xr-x root root system_u:object_r:var_t ..
-rw------- root root root:object_r:kadmind_tmp_t kadmin_0
-rw------- root root krb5kdc_rcache
How should I go about fixing this?
Thanks,
Keith.
More information about the fedora-selinux-list
mailing list