Description of problem: rsyslog-gssapi gives rsyslog ability to use gssapi, see http://www.rsyslog.com/doc/gssapi.html But the rsyslog both on client and server is blocked by selinux. AVC messages attached. For some strange reason, rsyslog on the client is using krb5 ticket (initiated by root) instead of keytab file (as the rsyslog server does). Version-Release number of selected component (if applicable): selinux-policy-3.7.19-154.el6.noarch rsyslog-5.8.10-2.el6.x86_64 How reproducible: always Steps to Reproduce: set up gssapi according to http://www.rsyslog.com/doc/gssapi.html Be aware that rsyslog gssapi functionality is partially broken now but server <-> client gssapi only connection is working.
Created attachment 628179 [details] server's and client's audit.log
Willl backport from Fedora.
not fixed yet.. rsyslogd still cannot access root krb5 ticket # rpm -q selinux-policy selinux-policy-3.7.19-183.el6.noarch [root@pes-guest-78 rsyslog-gssapi-log-delivery-sanity]# cat ~/client_dontaudit.log | audit2allow #============= syslogd_t ============== #!!!! This avc has a dontaudit rule in the current policy allow syslogd_t admin_home_t:dir search; #!!!! This avc has a dontaudit rule in the current policy allow syslogd_t user_tmp_t:file read; custom module with allow syslogd_t user_tmp_t:file read; fixed that for me but as I already said, rsyslog doesn't use keytab but krb5 ticket (bug 867032). I believe that the access to krb5 ticket should not be allowed by default but controlled by some selinux boolean.
So something what we have for gssd_t. tunable_policy(`allow_gssd_read_tmp',` userdom_list_user_tmp(gssd_t) userdom_read_user_tmp_files(gssd_t) userdom_read_user_tmp_symlinks(gssd_t) ')
OK, to be more precise, the client part is not fixed. But the server part seems to work fine now.
So it needs userdom_read_user_tmp_files(syslogd_t)
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0314.html