[Freeipa-users] krb5-server-1.9-33.el6_3.3.x86_64 prevents named from starting when selinux is enforcing

Rob Crittenden rcritten at redhat.com
Thu Sep 20 20:17:51 UTC 2012 

Sigbjorn Lie wrote:
> On 09/20/2012 12:08 AM, Rob Crittenden wrote:
>> Sigbjorn Lie wrote:
>>> On 09/19/2012 11:05 PM, Rob Crittenden wrote:
>>>> Sigbjorn Lie wrote:
>>>>> On 09/19/2012 10:48 PM, Rob Crittenden wrote:
>>>>>> Sigbjorn Lie wrote:
>>>>>>> Hi,
>>>>>>>
>>>>>>> I noticed an updated krb5-server package today advertising that it's
>>>>>>> fixing the issue with slow GSSAPI binds discussed earlier, so I
>>>>>>> installed it in my test environment, set SElinux back to
>>>>>>> enforcing in
>>>>>>> /etc/sysconfig/selinux and rebooted.
>>>>>>>
>>>>>>> The named daemon does not start now. The error below was logged in
>>>>>>> /var/log/messages:
>>>>>>>
>>>>>>> Sep 19 21:54:46 ipa01 named[3712]: GSSAPI Error: Unspecified GSS
>>>>>>> failure.  Minor code may provide more information (KDC returned
>>>>>>> error
>>>>>>> string: PROCESS_TGS)
>>>>>>>
>>>>>>> I am able to start named after setting SElinux in permissive mode
>>>>>>> (setenforce 0).
>>>>>>>
>>>>>>> Then to verify: I stop all IPA services (ipactl stop), reenabled
>>>>>>> selinux
>>>>>>> (setenforce 1), and start the IPA services (ipactl start). A new
>>>>>>> error
>>>>>>> is logged in /var/log/messages:
>>>>>>>
>>>>>>> Sep 19 22:00:49 ipa01 named[5918]: bind to LDAP server failed:
>>>>>>> Invalid
>>>>>>> credentials
>>>>>>> Sep 19 22:00:49 ipa01 named[5918]: loading configuration: permission
>>>>>>> denied
>>>>>>> Sep 19 22:00:49 ipa01 named[5918]: exiting (due to fatal error)
>>>>>>>
>>>>>>>
>>>>>>>  From the /var/log/krb5kdc.log:
>>>>>>> Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): TGS_REQ (4
>>>>>>> etypes
>>>>>>> {18 17 16 23}) 192.168.210.20: PROCESS_TGS: authtime 0, <unknown
>>>>>>> client>
>>>>>>> for <unknown server>, Cannot create replay cache file
>>>>>>> /var/tmp/krbtgt_0:
>>>>>>> File exists
>>>>>>> Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): TGS_REQ (4
>>>>>>> etypes
>>>>>>> {18 17 16 23}) 192.168.210.20: PROCESS_TGS: authtime 0, <unknown
>>>>>>> client>
>>>>>>> for <unknown server>, Cannot create replay cache file
>>>>>>> /var/tmp/krbtgt_0:
>>>>>>> File exists
>>>>>>> Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): AS_REQ (4
>>>>>>> etypes
>>>>>>> {18 17 16 23}) 192.168.210.20: NEEDED_PREAUTH:
>>>>>>> DNS/ipa01.ix.test.com at IX.TEST.COM for
>>>>>>> krbtgt/IX.TEST.COM at IX.TEST.COM,
>>>>>>> Additional pre-authentication required
>>>>>>> Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): AS_REQ (4
>>>>>>> etypes
>>>>>>> {18 17 16 23}) 192.168.210.20: ISSUE: authtime 1348084486, etypes
>>>>>>> {rep=18 tkt=18 ses=18}, DNS/ipa01.ix.test.com at IX.TEST.COM for
>>>>>>> krbtgt/IX.TEST.COM at IX.TEST.COM
>>>>>>>
>>>>>>> /var/named/data/named.run logged nothing.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Any suggestions for how to troubleshoot this issue?
>>>>>>
>>>>>> Pure guess, but:
>>>>>>
>>>>>> restorecon /var/tmp/krbtgt_0
>>>>>>
>>>>>> rob
>>>>> Sorry, that did not help. There seem to be a new error in the messages
>>>>> file every time I attempt a named restart though. See below for the
>>>>> latest:
>>>>>
>>>>> Sep 19 23:01:27 ipa01 named[12638]: default realm from krb5.conf
>>>>> (IX.TEST.COM) does not match tkey-gssapi-credential
>>>>> (DNS/ipa01.ix.test.com)
>>>>> Sep 19 23:01:27 ipa01 named[12638]: configuring TKEY: failure
>>>>> Sep 19 23:01:27 ipa01 named[12638]: loading configuration: failure
>>>>> Sep 19 23:01:27 ipa01 named[12638]: exiting (due to fatal error)
>>>>
>>>> I'd continue to check /var/log/audit/audit.log for AVCs.
>>>>
>>>> rob
>>>>
>>>
>>> OK, I had a quick look before I'm off for today. :)
>>>
>>> There's a lot of these messages, denying named access to
>>> /var/tmp/DNS_25.
>>>
>>>
>>>
>>> type=AVC msg=audit(1348086955.397:42404): avc:  denied  { getattr } for
>>> pid=11648 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140
>>> scontext=unconfined_u:system_r:named_t:s0
>>> tcontext=system_u:object_r:tmp_t:s0 tclass=file
>>> type=AVC msg=audit(1348086955.398:42405): avc:  denied  { read write }
>>> for  pid=11648 comm="named" name="DNS_25" dev=dm-2 ino=132140
>>> scontext=unconfined_u:system_r:named_t:s0
>>> tcontext=system_u:object_r:tmp_t:s0 tclass=file
>>> type=AVC msg=audit(1348086955.398:42405): avc:  denied  { open } for
>>> pid=11648 comm="named" name="DNS_25" dev=dm-2 ino=132140
>>> scontext=unconfined_u:system_r:named_t:s0
>>> tcontext=system_u:object_r:tmp_t:s0 tclass=file
>>> type=AVC msg=audit(1348088487.524:42438): avc:  denied  { getattr } for
>>> pid=12639 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140
>>> scontext=unconfined_u:system_r:named_t:s0
>>> tcontext=system_u:object_r:tmp_t:s0 tclass=file
>>> type=AVC msg=audit(1348088487.524:42439): avc:  denied  { unlink } for
>>> pid=12639 comm="named" name="DNS_25" dev=dm-2 ino=132140
>>> scontext=unconfined_u:system_r:named_t:s0
>>> tcontext=system_u:object_r:tmp_t:s0 tclass=file
>>> type=AVC msg=audit(1348088487.525:42440): avc:  denied  { getattr } for
>>> pid=12639 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140
>>> scontext=unconfined_u:system_r:named_t:s0
>>> tcontext=system_u:object_r:tmp_t:s0 tclass=file
>>> type=AVC msg=audit(1348088487.525:42441): avc:  denied  { unlink } for
>>> pid=12639 comm="named" name="DNS_25" dev=dm-2 ino=132140
>>> scontext=unconfined_u:system_r:named_t:s0
>>> tcontext=system_u:object_r:tmp_t:s0 tclass=file
>>> type=AVC msg=audit(1348088487.525:42442): avc:  denied  { getattr } for
>>> pid=12639 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140
>>> scontext=unconfined_u:system_r:named_t:s0
>>> tcontext=system_u:object_r:tmp_t:s0 tclass=file
>>> type=AVC msg=audit(1348088487.525:42443): avc:  denied  { unlink } for
>>> pid=12639 comm="named" name="DNS_25" dev=dm-2 ino=132140
>>> scontext=unconfined_u:system_r:named_t:s0
>>> tcontext=system_u:object_r:tmp_t:s0 tclass=file
>>> type=AVC msg=audit(1348088487.525:42444): avc:  denied  { getattr } for
>>> pid=12639 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140
>>> scontext=unconfined_u:system_r:named_t:s0
>>> tcontext=system_u:object_r:tmp_t:s0 tclass=file
>>> type=AVC msg=audit(1348088487.526:42445): avc:  denied  { unlink } for
>>> pid=12639 comm="named" name="DNS_25" dev=dm-2 ino=132140
>>> scontext=unconfined_u:system_r:named_t:s0
>>> tcontext=system_u:object_r:tmp_t:s0 tclass=file
>>> type=AVC msg=audit(1348088487.526:42446): avc:  denied  { getattr } for
>>> pid=12639 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140
>>> scontext=unconfined_u:system_r:named_t:s0
>>> tcontext=system_u:object_r:tmp_t:s0 tclass=file
>>> type=AVC msg=audit(1348088487.526:42447): avc:  denied  { unlink } for
>>> pid=12639 comm="named" name="DNS_25" dev=dm-2 ino=132140
>>> scontext=unconfined_u:system_r:named_t:s0
>>> tcontext=system_u:object_r:tmp_t:s0 tclass=file
>>> type=AVC msg=audit(1348088493.161:42449): avc:  denied  { getattr } for
>>> pid=12667 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140
>>> scontext=unconfined_u:system_r:named_t:s0
>>> tcontext=system_u:object_r:tmp_t:s0 tclass=file
>>> type=AVC msg=audit(1348088493.162:42450): avc:  denied  { read write }
>>> for  pid=12667 comm="named" name="DNS_25" dev=dm-2 ino=132140
>>> scontext=unconfined_u:system_r:named_t:s0
>>> tcontext=system_u:object_r:tmp_t:s0 tclass=file
>>> type=AVC msg=audit(1348088493.162:42450): avc:  denied  { open } for
>>> pid=12667 comm="named" name="DNS_25" dev=dm-2 ino=132140
>>> scontext=unconfined_u:system_r:named_t:s0
>>> tcontext=system_u:object_r:tmp_t:s0 tclass=file
>>>
>>>
>>>
>>> I tried "restorecon /var/tmp/DNS_25", but the attributes looks the same
>>> before and after:
>>>
>>> -rw-------. named  named  system_u:object_r:tmp_t:s0 DNS_25
>>
>> Ok, I'm not sure. Perhaps selinux-policy has an update available too?
>>
>> You may want to consider temporarily setting selinux to permissive
>> while we sort this out if your system is otherwise unusable.
>>
>> rob
>>
> There is no more updates available for the system at all.
>
> I've set selinux to permissive for now.
>
> Please let me know when you know what else to troubleshoot. I have also
> updated my RH support case with this thread.

bind isn't my strongest suite.

My guess is that this file is the ccache for bind. I'm guessing that 25 
is the UID of the named user. If this is the case, then it should be 
safe to stop named, rename the file, and restart. Perhaps the contexts 
have changed so when this gets re-created it will get fixed automagically.

rob

More information about the Freeipa-users mailing list