Bug 1752577 - selinux prevents auditd to use KRB5 peer authentication for remote logging
Summary: selinux prevents auditd to use KRB5 peer authentication for remote logging
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.7
Hardware: All
OS: Linux
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
Michal Stubna
Depends On: 1740146
TreeView+ depends on / blocked
Reported: 2019-09-16 16:55 UTC by Ondrej Moriš
Modified: 2019-10-02 12:40 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Known Issue
Doc Text:
.Auditd server does not start on remote logging servers using KRB5 peer authentication The SELinux policy does not contain the `auditd_tmp_t` file type for the temporary directories and files created by processes running under `auditd_t` SELinux type. This prevents starting the `auditd` service on a server when KRB5 peer authentication is used for remote logging. To work around this problem, either set `auditd_t` domain to permissive mode or build a custom SELinux policy that allows processes running under `auditd_t` type to create and modify files and directories in the `/var/tmp` directory. As a result, `auditd` server using KRB5 peer authentication for remote logging can be started only after applying the described workaround.
Clone Of: 1740146
Last Closed: 2019-10-02 12:40:22 UTC
Target Upstream Version:

Attachments (Terms of Use)

Comment 6 Zdenek Pytela 2019-09-18 13:13:12 UTC
This issue was not selected to be included in Red Hat Enterprise Linux 7 because it is seen either as low or moderate impact to a small number of use-cases. The next minor release will be in Maintenance Support 1 Phase, which means that qualified Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) may be released as they become available.

We will now close this issue, but if you believe that it qualifies for the Maintenance Support 1 Phase, please re-open; otherwise, we recommend moving the request to Red Hat Enterprise Linux 8 if applicable.

Note You need to log in before you can comment on or make changes to this bug.