Problems with kerberos and SElinux

Keith Sharp kms at
Fri Sep 2 16:24:10 UTC 2005

On Fri, 2005-09-02 at 12:07 -0400, Stephen Smalley wrote:
> On Fri, 2005-09-02 at 16:37 +0100, Keith Sharp wrote:
> > Looks like the file /var/tmp/krb5kdc_rcache doesn't have a security
> > context:
> > 
> > [root at server ~]# ls -alZ /var/tmp/
> > drwxrwxrwt  root     root     system_u:object_r:tmp_t          .
> > drwxr-xr-x  root     root     system_u:object_r:var_t          ..
> > -rw-------  root     root     root:object_r:kadmind_tmp_t      kadmin_0
> > -rw-------  root     root                                      krb5kdc_rcache
> > 
> > How should I go about fixing this?
> This is a result of previously booting with SELinux disabled; while
> SELinux is disabled, any files created won't be assigned security
> contexts.  Switching to permissive mode is better than disabling SELinux
> entirely, and can be done temporarily with /usr/sbin/setenforce 0
> without needing to touch /etc/selinux/config or reboot.  That continues
> to label files but allows all accesses and just logs the denials for
> review in the audit.log.
> Assuming that this file is just a temporary cache, I'd suggest removing
> it (or moving it aside), and then restart the process that created it in
> the first place with SELinux enabled (but permissive, if necessary).

Removing the file and re-running "service krb5kdc start" seems to have
solved the problem.



More information about the fedora-selinux-list mailing list