Bug 732999

Summary: GSS module occasionally fails because of selinux
Product: Red Hat Enterprise Linux 5 Reporter: Antonia Stevens <a>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED INSUFFICIENT_DATA QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 5.5CC: dwalsh, mmalik, theinric
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-04-29 12:00:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Antonia Stevens 2011-08-24 12:29:19 UTC 
Description of problem:
	Occasionally while starting rsyslog with a GSS listener it will fail if selinux is enabled, this seems to be a problem with selinux permissions on a temporary kerberos cache file.


Version-Release number of selected component (if applicable):

	rsyslogd: swVersion="3.22.1"
	CentOS release 5.5 (Final) 2.6.18-128.el5 #1 SMP x86_64


Occasionally while starting rsyslog with gssapi the listener won't start, to reproduce:

	Replace default syslog daemon with rsyslog.
	Configure rsyslog to use a gssapi listener using the following config.

		$ModLoad imgssapi # load input gss module
		$InputGSSServerServiceName rsyslog # set the name of service principal, "host" is the default one
		$InputGSSServerPermitPlainTCP off # accept GSS and TCP connections (not authenticated senders), off by default
		$InputGSSServerRun 514 # run server on port

Create a new kerberos service for rsyslog on your kdc like rsyslog/host.example.com (or you can use the host entry and comment out the InputGSSServerServiceName in the config above) 

Obtain a kerberos ticket using /usr/kerberos/bin/kinit -k  rsyslog/host.example.com

Restart rsyslog to use new config: service rsyslog restart

If the problem surfaces you will get a log message such as:

	Aug 24 11:50:09 host kernel: Kernel logging (proc) stopped.
	Aug 24 11:50:09 host kernel: imklog 3.22.1, log source = /proc/kmsg started.
	Aug 24 11:50:09 host rsyslogd: [origin software="rsyslogd" swVersion="3.22.1" x-pid="8568" x-info="http://www.rsyslog.com"] (re)start
	Aug 24 11:50:09 host rsyslogd: GSS-API error acquiring credentials: Unspecified GSS failure.  Minor code may provide more information
	Aug 24 11:50:09 host rsyslogd: GSS-API error acquiring credentials: Unknown code krb5 169
	Aug 24 11:50:09 host rsyslogd: GSS-API initialization failed
	Aug 24 11:50:09 host rsyslogd: error -2101 trying to add listener
	Aug 24 11:50:09 host rsyslogd: the last error occured in /etc/rsyslog.conf, line 66
	Aug 24 11:50:09 host rsyslogd-2123: CONFIG ERROR: could not interpret master config file '/etc/rsyslog.conf'. [try http://www.rsyslog.com/e/2123 ]

Kerberos error code 169 means "Permission denied in replay cache code" which happens because of selinux, disabling selinux fixes the problem. This might be related to https://bugzilla.redhat.com/show_bug.cgi?id=196952 and probably affects all applications that use kerberos tickets.
Comment 1 Tomas Heinrich 2012-03-06 11:35:56 UTC 
Reassigning to selinux-policy.
Comment 2 Miroslav Grepl 2012-03-06 12:26:05 UTC 
What AVC are you getting in permissive mode?