Bug 732999 - GSS module occasionally fails because of selinux
Summary: GSS module occasionally fails because of selinux
Keywords:
Status: CLOSED INSUFFICIENT_DATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy
Version: 5.5
Hardware: Unspecified
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-08-24 12:29 UTC by Antonia Stevens
Modified: 2013-04-29 12:00 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-04-29 12:00:07 UTC


Attachments (Terms of Use)

Description Antonia Stevens 2011-08-24 12:29:19 UTC
Description of problem:
	Occasionally while starting rsyslog with a GSS listener it will fail if selinux is enabled, this seems to be a problem with selinux permissions on a temporary kerberos cache file.


Version-Release number of selected component (if applicable):

	rsyslogd: swVersion="3.22.1"
	CentOS release 5.5 (Final) 2.6.18-128.el5 #1 SMP x86_64


Occasionally while starting rsyslog with gssapi the listener won't start, to reproduce:

	Replace default syslog daemon with rsyslog.
	Configure rsyslog to use a gssapi listener using the following config.

		$ModLoad imgssapi # load input gss module
		$InputGSSServerServiceName rsyslog # set the name of service principal, "host" is the default one
		$InputGSSServerPermitPlainTCP off # accept GSS and TCP connections (not authenticated senders), off by default
		$InputGSSServerRun 514 # run server on port

Create a new kerberos service for rsyslog on your kdc like rsyslog/host.example.com@EXAMPLE.COM (or you can use the host entry and comment out the InputGSSServerServiceName in the config above) 

Obtain a kerberos ticket using /usr/kerberos/bin/kinit -k  rsyslog/host.example.com@EXAMPLE.COM

Restart rsyslog to use new config: service rsyslog restart

If the problem surfaces you will get a log message such as:

	Aug 24 11:50:09 host kernel: Kernel logging (proc) stopped.
	Aug 24 11:50:09 host kernel: imklog 3.22.1, log source = /proc/kmsg started.
	Aug 24 11:50:09 host rsyslogd: [origin software="rsyslogd" swVersion="3.22.1" x-pid="8568" x-info="http://www.rsyslog.com"] (re)start
	Aug 24 11:50:09 host rsyslogd: GSS-API error acquiring credentials: Unspecified GSS failure.  Minor code may provide more information
	Aug 24 11:50:09 host rsyslogd: GSS-API error acquiring credentials: Unknown code krb5 169
	Aug 24 11:50:09 host rsyslogd: GSS-API initialization failed
	Aug 24 11:50:09 host rsyslogd: error -2101 trying to add listener
	Aug 24 11:50:09 host rsyslogd: the last error occured in /etc/rsyslog.conf, line 66
	Aug 24 11:50:09 host rsyslogd-2123: CONFIG ERROR: could not interpret master config file '/etc/rsyslog.conf'. [try http://www.rsyslog.com/e/2123 ]

Kerberos error code 169 means "Permission denied in replay cache code" which happens because of selinux, disabling selinux fixes the problem. This might be related to https://bugzilla.redhat.com/show_bug.cgi?id=196952 and probably affects all applications that use kerberos tickets.

Comment 1 Tomas Heinrich 2012-03-06 11:35:56 UTC
Reassigning to selinux-policy.

Comment 2 Miroslav Grepl 2012-03-06 12:26:05 UTC
What AVC are you getting in permissive mode?


Note You need to log in before you can comment on or make changes to this bug.