732999 – GSS module occasionally fails because of selinux

Bug 732999 - GSS module occasionally fails because of selinux

Summary: GSS module occasionally fails because of selinux

Keywords:
Status:	CLOSED INSUFFICIENT_DATA
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	5.5
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-08-24 12:29 UTC by Antonia Stevens
Modified:	2013-04-29 12:00 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-04-29 12:00:07 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Antonia Stevens 2011-08-24 12:29:19 UTC

Description of problem:
	Occasionally while starting rsyslog with a GSS listener it will fail if selinux is enabled, this seems to be a problem with selinux permissions on a temporary kerberos cache file.


Version-Release number of selected component (if applicable):

	rsyslogd: swVersion="3.22.1"
	CentOS release 5.5 (Final) 2.6.18-128.el5 #1 SMP x86_64


Occasionally while starting rsyslog with gssapi the listener won't start, to reproduce:

	Replace default syslog daemon with rsyslog.
	Configure rsyslog to use a gssapi listener using the following config.

		$ModLoad imgssapi # load input gss module
		$InputGSSServerServiceName rsyslog # set the name of service principal, "host" is the default one
		$InputGSSServerPermitPlainTCP off # accept GSS and TCP connections (not authenticated senders), off by default
		$InputGSSServerRun 514 # run server on port

Create a new kerberos service for rsyslog on your kdc like rsyslog/host.example.com (or you can use the host entry and comment out the InputGSSServerServiceName in the config above) 

Obtain a kerberos ticket using /usr/kerberos/bin/kinit -k  rsyslog/host.example.com

Restart rsyslog to use new config: service rsyslog restart

If the problem surfaces you will get a log message such as:

	Aug 24 11:50:09 host kernel: Kernel logging (proc) stopped.
	Aug 24 11:50:09 host kernel: imklog 3.22.1, log source = /proc/kmsg started.
	Aug 24 11:50:09 host rsyslogd: [origin software="rsyslogd" swVersion="3.22.1" x-pid="8568" x-info="http://www.rsyslog.com"] (re)start
	Aug 24 11:50:09 host rsyslogd: GSS-API error acquiring credentials: Unspecified GSS failure.  Minor code may provide more information
	Aug 24 11:50:09 host rsyslogd: GSS-API error acquiring credentials: Unknown code krb5 169
	Aug 24 11:50:09 host rsyslogd: GSS-API initialization failed
	Aug 24 11:50:09 host rsyslogd: error -2101 trying to add listener
	Aug 24 11:50:09 host rsyslogd: the last error occured in /etc/rsyslog.conf, line 66
	Aug 24 11:50:09 host rsyslogd-2123: CONFIG ERROR: could not interpret master config file '/etc/rsyslog.conf'. [try http://www.rsyslog.com/e/2123 ]

Kerberos error code 169 means "Permission denied in replay cache code" which happens because of selinux, disabling selinux fixes the problem. This might be related to https://bugzilla.redhat.com/show_bug.cgi?id=196952 and probably affects all applications that use kerberos tickets.

Comment 1 Tomas Heinrich 2012-03-06 11:35:56 UTC

Reassigning to selinux-policy.

Comment 2 Miroslav Grepl 2012-03-06 12:26:05 UTC

What AVC are you getting in permissive mode?

Note You need to log in before you can comment on or make changes to this bug.