Problems with kerberos and SElinux
kms at passback.co.uk
Fri Sep 2 16:24:10 UTC 2005
On Fri, 2005-09-02 at 12:07 -0400, Stephen Smalley wrote:
> On Fri, 2005-09-02 at 16:37 +0100, Keith Sharp wrote:
> > Looks like the file /var/tmp/krb5kdc_rcache doesn't have a security
> > context:
> > [root at server ~]# ls -alZ /var/tmp/
> > drwxrwxrwt root root system_u:object_r:tmp_t .
> > drwxr-xr-x root root system_u:object_r:var_t ..
> > -rw------- root root root:object_r:kadmind_tmp_t kadmin_0
> > -rw------- root root krb5kdc_rcache
> > How should I go about fixing this?
> This is a result of previously booting with SELinux disabled; while
> SELinux is disabled, any files created won't be assigned security
> contexts. Switching to permissive mode is better than disabling SELinux
> entirely, and can be done temporarily with /usr/sbin/setenforce 0
> without needing to touch /etc/selinux/config or reboot. That continues
> to label files but allows all accesses and just logs the denials for
> review in the audit.log.
> Assuming that this file is just a temporary cache, I'd suggest removing
> it (or moving it aside), and then restart the process that created it in
> the first place with SELinux enabled (but permissive, if necessary).
Removing the file and re-running "service krb5kdc start" seems to have
solved the problem.
More information about the fedora-selinux-list