This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 732999 - GSS module occasionally fails because of selinux
GSS module occasionally fails because of selinux
Status: CLOSED INSUFFICIENT_DATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.5
Unspecified Linux
unspecified Severity unspecified
: rc
: ---
Assigned To: Miroslav Grepl
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2011-08-24 08:29 EDT by Jarl Stefansson
Modified: 2013-04-29 08:00 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-04-29 08:00:07 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Jarl Stefansson 2011-08-24 08:29:19 EDT
Description of problem:
	Occasionally while starting rsyslog with a GSS listener it will fail if selinux is enabled, this seems to be a problem with selinux permissions on a temporary kerberos cache file.


Version-Release number of selected component (if applicable):

	rsyslogd: swVersion="3.22.1"
	CentOS release 5.5 (Final) 2.6.18-128.el5 #1 SMP x86_64


Occasionally while starting rsyslog with gssapi the listener won't start, to reproduce:

	Replace default syslog daemon with rsyslog.
	Configure rsyslog to use a gssapi listener using the following config.

		$ModLoad imgssapi # load input gss module
		$InputGSSServerServiceName rsyslog # set the name of service principal, "host" is the default one
		$InputGSSServerPermitPlainTCP off # accept GSS and TCP connections (not authenticated senders), off by default
		$InputGSSServerRun 514 # run server on port

Create a new kerberos service for rsyslog on your kdc like rsyslog/host.example.com@EXAMPLE.COM (or you can use the host entry and comment out the InputGSSServerServiceName in the config above) 

Obtain a kerberos ticket using /usr/kerberos/bin/kinit -k  rsyslog/host.example.com@EXAMPLE.COM

Restart rsyslog to use new config: service rsyslog restart

If the problem surfaces you will get a log message such as:

	Aug 24 11:50:09 host kernel: Kernel logging (proc) stopped.
	Aug 24 11:50:09 host kernel: imklog 3.22.1, log source = /proc/kmsg started.
	Aug 24 11:50:09 host rsyslogd: [origin software="rsyslogd" swVersion="3.22.1" x-pid="8568" x-info="http://www.rsyslog.com"] (re)start
	Aug 24 11:50:09 host rsyslogd: GSS-API error acquiring credentials: Unspecified GSS failure.  Minor code may provide more information
	Aug 24 11:50:09 host rsyslogd: GSS-API error acquiring credentials: Unknown code krb5 169
	Aug 24 11:50:09 host rsyslogd: GSS-API initialization failed
	Aug 24 11:50:09 host rsyslogd: error -2101 trying to add listener
	Aug 24 11:50:09 host rsyslogd: the last error occured in /etc/rsyslog.conf, line 66
	Aug 24 11:50:09 host rsyslogd-2123: CONFIG ERROR: could not interpret master config file '/etc/rsyslog.conf'. [try http://www.rsyslog.com/e/2123 ]

Kerberos error code 169 means "Permission denied in replay cache code" which happens because of selinux, disabling selinux fixes the problem. This might be related to https://bugzilla.redhat.com/show_bug.cgi?id=196952 and probably affects all applications that use kerberos tickets.
Comment 1 Tomas Heinrich 2012-03-06 06:35:56 EST
Reassigning to selinux-policy.
Comment 2 Miroslav Grepl 2012-03-06 07:26:05 EST
What AVC are you getting in permissive mode?

Note You need to log in before you can comment on or make changes to this bug.