Description of problem: I just installed a F11 server and I use Kerberos for authentication. Unfortunately even with all the proper files configured I cannot get it to work. (this works fine on F10). I see the following AVC in my audit log: type=AVC msg=audit(1245079913.143:211): avc: denied { read } for pid=3105 comm="sshd" name=".k5login" dev=dm-0 ino=92021 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:krb5_home_t:s0 tclass=file This leads me to believe that there's a bug in the policy? Version-Release number of selected component (if applicable): selinux-policy-targeted-3.6.12-39.fc11.noarch openssh-server-5.2p1-2.fc11.i586 How reproducible: 100% It happens every time. However there isn't any particular error message produced in the ssh logs that explain why the GSSAPI authentication failed. Steps to Reproduce: 1. Setup Kerberos + Keytab 2. Setup k5login 3. ssh using kerberos Actual results: It falls back and asks for my password.. (Or falls back to PubKey Auth).. The only available output signalling the failure is the AVC. Expected results: GSSAPI Authentication should work. Additional info:
You can add these rules for now using # grep avc /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Fixed in selinux-policy-3.6.12-52.fc11.noarch
Just updated to 3.6.12-53 and this problem is indeed solved. Thank you.