Description of problem: I have a working Kerberos server and want to use it with NFSv4. "SECURE_NFS=yes" is set in /etc/sysconfig/nfs and other required settings are made in /etc/gssapi_mech.conf and /etc/idmapd.conf. If enforcing mode is enabled then "service rpcsvcgssd start" fails with the following in /var/log/messages: Aug 31 14:36:54 obelix rpc.svcgssd[3253]: ERROR: GSS-API: error in gss_acquire_cred(): Miscellaneous failure - Resource temporarily unavailable Aug 31 14:36:54 obelix rpc.svcgssd[3253]: unable to obtain root (machine) credentials Aug 31 14:36:54 obelix rpc.svcgssd[3253]: do you have a keytab entry for nfs/<your.host>@<YOUR.REALM> in /etc/krb5.keytab? Disabling enforcing mode makes "service rpcsvcgssd start" succeed with no messages in /var/log/messages. In addition "service rpcsvcgssd start" succeeds in enforcing mode when the security context of /etc/init.d/rpcsvcgssd is changed from system_u:object_r:initrc_exec_t to root:object_r:etc_t (e. g. by copying /etc/init.d/rpcsvcgssd to /etc/init.d/rpcsvcgssd.test). Version-Release number of selected component (if applicable): nfs-utils-1.0.7-11 Steps to Reproduce: 1. setenforce 1 (this is the default) 2. service rpcsvcgssd start Actual results: start of rpcsvcgssd fails with error messages in /var/log/messages Expected results: start of rpcsvcgssd succeeds
I forgot something. Here is the output from /var/log/audit/audit.log when the service is started in enforcing mode: type=AVC msg=audit(1125516415.611:1140): avc: denied { lock } for pid=8290 comm="rpc.svcgssd" name="krb5.keytab" dev=sda3 ino=327369 scontext=root:system_r:gssd_t tcontext=root:object_r:etc_t tclass=file type=SYSCALL msg=audit(1125516415.611:1140): arch=c000003e syscall=72 success=no exit=-13 a0=5 a1=7 a2=7fffffe90180 a3=2aaaaaab3958 items=0 pid=8290 auid=10000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="rpc.svcgssd" exe="/usr/sbin/rpc.svcgssd" type=AVC_PATH msg=audit(1125516415.611:1140): path="/etc/krb5.keytab"
I got it working: The reason for the errors were some files set to the wrong security context, especially /etc/krb5.keytab. I thought these context informations are set automatically when this files are created, because kadmin is creating them. So, if there is no way to label the files correctly when they are created, this bug can be closed.
Thank you for your diligences! Its definitely appreciated. I've added our SELINUX person to the cc list to get his opinion what to do.
NEEDINFO_ENG has been deprecated in favor of NEEDINFO or ASSIGNED. Changing status to ASSIGNED for ENG review.
In order to get this to work correctly kadmin will need matchpathcon/setfscreatcon capabilities.
This report targets the FC3 or FC4 products, which have now been EOL'd. Could you please check that it still applies to a current Fedora release, and either update the target product or close it ? Thanks.
I know we haven't done anything with this one yet, moving back to assigned for devel.
Based on the date this bug was created, it appears to have been reported against rawhide during the development of a Fedora release that is no longer maintained. In order to refocus our efforts as a project we are flagging all of the open bugs for releases which are no longer maintained. If this bug remains in NEEDINFO thirty (30) days from now, we will automatically close it. If you can reproduce this bug in a maintained Fedora version (7, 8, or rawhide), please change this bug to the respective version and change the status to ASSIGNED. (If you're unable to change the bug's version or status, add a comment to the bug and someone will change it for you.) Thanks for your help, and we apologize again that we haven't handled these issues to this point. The process we're following is outlined here: http://fedoraproject.org/wiki/BugZappers/F9CleanUp We will be following the process here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping to ensure this doesn't happen again.
This should be fixed as of 1.6.3-9 and later. If it isn't please reopen this bug.