Description of problem: # service krb5kdc start Starting Kerberos 5 KDC: file_contexts: invalid context system_u:object_r:krb5kdc_conf_t:s0 file_contexts: invalid context system_u:object_r:krb5_conf_t:s0 file_contexts: invalid context system_u:object_r:krb5kdc_log_t:s0 file_contexts: invalid context system_u:object_r:krb5kdc_log_t:s0 Version-Release number of selected component (if applicable): # rpm -q krb5-server centos-release krb5-server-1.6.1-17.el5 centos-release-5-1.0.el5.centos.1 If I disable selinux into permissive mode temporarily, I don't get those. (although it still fails to start but that's most likely my config still)
Running: # fixfiles -R krb5-server restore did not help.
# service kadmin restart Stopping Kerberos 5 Admin Server: [ OK ] Starting Kerberos 5 Admin Server: file_contexts: invalid context system_u:object_r:krb5kdc_conf_t:s0 file_contexts: invalid context system_u:object_r:krb5_conf_t:s0 file_contexts: invalid context system_u:object_r:kadmind_log_t:s0 file_contexts: invalid context system_u:object_r:kadmind_log_t:s0 file_contexts: invalid context system_u:object_r:krb5kdc_principal_t:s0 file_contexts: invalid context system_u:object_r:krb5kdc_conf_t:s0 file_contexts: invalid context system_u:object_r:krb5kdc_conf_t:s0 the same seems to apply kadmind too.
Feb 5 12:11:05 xxxx kernel: audit(1202206265.083:13): avc: denied { write } for pid=21429 comm="krb5kdc" name="context" dev=selinuxfs ino= 5 scontext=root:system_r:krb5kdc_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file
I just tried to set up a krb5 slave on a Centos 5.1 server and ran into the same problem. I don't, however, see any denials and it does not seem to prevent the server from starting.
What selinux policy do you have installed? rpm -q selinux-policy
# service krb5kdc restart Stopping Kerberos 5 KDC: [ OK ] Starting Kerberos 5 KDC: file_contexts: invalid context system_u:object_r:krb5kdc_conf_t:s0 file_contexts: invalid context system_u:object_r:krb5_conf_t:s0 file_contexts: invalid context system_u:object_r:krb5kdc_log_t:s0 file_contexts: invalid context system_u:object_r:krb5kdc_log_t:s0 file_contexts: invalid context system_u:object_r:krb5kdc_principal_t:s0 file_contexts: invalid context system_u:object_r:krb5kdc_principal_t:s0 file_contexts: invalid context system_u:object_r:krb5kdc_conf_t:s0 [ OK ] # rpm -q selinux-policy selinux-policy-2.4.6-106.el5_1.3
Please test out the U2 policy and see if this problem is fixed. Preview available on http://people.redhat.com/dwalsh/SELinux/RHEL5
# service krb5kdc restart Stopping Kerberos 5 KDC: [ OK ] Starting Kerberos 5 KDC: [ OK ] # rpm -qa|grep selinux-policy selinux-policy-targeted-2.4.6-134.el5 selinux-policy-2.4.6-134.el5 # sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 21 Policy from config file: targeted Thank you.
Marking as fixed by the selinux-policy update. Moving to the component in which it was fixed.