Bug 446482
Summary: | selinux policy prevens nscd to use krb5.conf | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Javier Palacios <javiplx> |
Component: | krb5 | Assignee: | Nalin Dahyabhai <nalin> |
Status: | CLOSED NEXTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | high | Docs Contact: | |
Priority: | low | ||
Version: | 9 | CC: | dwalsh |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2008-05-17 14:25:35 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Javier Palacios
2008-05-14 19:59:56 UTC
Setting the SElinux enforcing mode to permisive does also works, but produces plenty of similar messages coming for different applications and source contexts: polkit-read-aut, restorecond, pam_console_app. You can allow this for now. # audit2allow -M mypol -l -i /var/log/audit/audit.log # semodule -i mypol.pp Fixed in selinux-policy-3.3.1-52.fc9.noarch I've performed a new install, to get the minimal required policy, and now I get some issues that seems more related to nscd itself. Is there any way to load the text file generated by audit2allow? I pretend to enable them on the kickstart postinstall. As the intially reported problem is actually solved, I'll close this ticket, leaving the remaing problems for bug 446482, which I believe is the proper place. The bug pointed on previous note was 446499. Besides nscd_t, I've got similar messages, where the acces is denied for semanage_t and setroubleshootd_t going for krb5_conf_t Ok so I guess you have setup a situation where every confined application that needs to use nsswitch now needs to read the kerberos configuration. I will make this change in policy. Fixed in selinux-policy-3.3.1-53.fc9.noarch Can I download the updated package, to check that no more friends come to this party? Should be available shortly in koji. I will be releasing it to updates-testing tomorrow. |