Bug 167183
Summary: | rpcsvcgssd doesn't start in enforcing mode | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Joachim Selke <mail> |
Component: | krb5 | Assignee: | Nalin Dahyabhai <nalin> |
Status: | CLOSED RAWHIDE | QA Contact: | Brian Brock <bbrock> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | rawhide | CC: | dwalsh, nalin, triage |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | bzcl34nup | ||
Fixed In Version: | 1.6.3-9 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2008-04-04 21:13:49 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Joachim Selke
2005-08-31 12:58:44 UTC
I forgot something. Here is the output from /var/log/audit/audit.log when the service is started in enforcing mode: type=AVC msg=audit(1125516415.611:1140): avc: denied { lock } for pid=8290 comm="rpc.svcgssd" name="krb5.keytab" dev=sda3 ino=327369 scontext=root:system_r:gssd_t tcontext=root:object_r:etc_t tclass=file type=SYSCALL msg=audit(1125516415.611:1140): arch=c000003e syscall=72 success=no exit=-13 a0=5 a1=7 a2=7fffffe90180 a3=2aaaaaab3958 items=0 pid=8290 auid=10000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="rpc.svcgssd" exe="/usr/sbin/rpc.svcgssd" type=AVC_PATH msg=audit(1125516415.611:1140): path="/etc/krb5.keytab" I got it working: The reason for the errors were some files set to the wrong security context, especially /etc/krb5.keytab. I thought these context informations are set automatically when this files are created, because kadmin is creating them. So, if there is no way to label the files correctly when they are created, this bug can be closed. Thank you for your diligences! Its definitely appreciated. I've added our SELINUX person to the cc list to get his opinion what to do. NEEDINFO_ENG has been deprecated in favor of NEEDINFO or ASSIGNED. Changing status to ASSIGNED for ENG review. In order to get this to work correctly kadmin will need matchpathcon/setfscreatcon capabilities. This report targets the FC3 or FC4 products, which have now been EOL'd. Could you please check that it still applies to a current Fedora release, and either update the target product or close it ? Thanks. I know we haven't done anything with this one yet, moving back to assigned for devel. Based on the date this bug was created, it appears to have been reported against rawhide during the development of a Fedora release that is no longer maintained. In order to refocus our efforts as a project we are flagging all of the open bugs for releases which are no longer maintained. If this bug remains in NEEDINFO thirty (30) days from now, we will automatically close it. If you can reproduce this bug in a maintained Fedora version (7, 8, or rawhide), please change this bug to the respective version and change the status to ASSIGNED. (If you're unable to change the bug's version or status, add a comment to the bug and someone will change it for you.) Thanks for your help, and we apologize again that we haven't handled these issues to this point. The process we're following is outlined here: http://fedoraproject.org/wiki/BugZappers/F9CleanUp We will be following the process here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping to ensure this doesn't happen again. This should be fixed as of 1.6.3-9 and later. If it isn't please reopen this bug. |