Problems with kerberos and SElinux

Stephen Smalley sds at
Fri Sep 2 16:07:52 UTC 2005

On Fri, 2005-09-02 at 16:37 +0100, Keith Sharp wrote:
> Looks like the file /var/tmp/krb5kdc_rcache doesn't have a security
> context:
> [root at server ~]# ls -alZ /var/tmp/
> drwxrwxrwt  root     root     system_u:object_r:tmp_t          .
> drwxr-xr-x  root     root     system_u:object_r:var_t          ..
> -rw-------  root     root     root:object_r:kadmind_tmp_t      kadmin_0
> -rw-------  root     root                                      krb5kdc_rcache
> How should I go about fixing this?

This is a result of previously booting with SELinux disabled; while
SELinux is disabled, any files created won't be assigned security
contexts.  Switching to permissive mode is better than disabling SELinux
entirely, and can be done temporarily with /usr/sbin/setenforce 0
without needing to touch /etc/selinux/config or reboot.  That continues
to label files but allows all accesses and just logs the denials for
review in the audit.log.

Assuming that this file is just a temporary cache, I'd suggest removing
it (or moving it aside), and then restart the process that created it in
the first place with SELinux enabled (but permissive, if necessary).

Possibly fixfiles relabel needs to purge /var/tmp as well as /tmp?

Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list