kerberos server + enforcing mode?
Robert Story
rstory at sparta.com
Tue Jul 1 23:37:04 UTC 2008
Hi,
I'm trying to set up a kerberos KDC on a clean up-to-date F9 box in
enforcing mode. I'm following an online tutorial, and I get to the
point where I'm trying to set the default policy, and the command fails
with "modify_principal: Insufficient access to lock database". Some
googling turned up 2 suggestions: switcing to permissive mode, or
stopping kadmin and restarting it manually, instead of using the
service command. Both of those solutions worked. Is there some policy
piece missing?
Also, I get an error when starting krb5kdc:
Starting Kerberos 5 KDC: Couldn't open log file /var/log/krb5kdc.log: Permission denied
The accompanying avc is:
Jul 1 18:04:55 tib kernel: type=1400 audit(1214949895.536:4): avc: denied { create } for pid=1839 comm="krb5kdc" name="krb5kdc.log" scontext=unconfined_u:system_r:krb5kdc_t:s0 tcontext=system_u:object_r:krb5kdc_log_t:s0 tclass=file
kadmind starts fine, and kadmind.log is created without a problem...
--
Robert Story
SPARTA
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20080701/764d8d78/attachment.sig>
More information about the fedora-selinux-list
mailing list