Description of problem: krb5kdc raises an AVC in my Fedora 18 box. Can you please check if you really need the capability and if yes, then fix this AVC? (Or reassign the Bug to SELinux component). type=SYSCALL msg=audit(1352188144.490:2922): arch=c000003e syscall=233 success=yes exit=0 a0=5 a1=2 a2=6 a3=7fffca2d8440 items=0 ppid=1 pid=30177 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kadmind" exe="/usr/sbin/kadmind" subj=system_u:system_r: kadmind_t:s0 key=(null) type=SERVICE_START msg=audit(1352188144.574:2923): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="kadmin" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed' type=AVC msg=audit(1352188144.865:2924): avc: denied { block_suspend } for pid=30443 comm="krb5kdc" capability=36 scontext=system_u:system_r:krb5kdc_t:s0 tcontext=system_u:system_r:krb5kdc_t:s0 tclass=capability2 type=SYSCALL msg=audit(1352188144.865:2924): arch=c000003e syscall=233 success=yes exit=0 a0=5 a1=2 a2=6 a3=7ffffcc73cb0 items=0 ppid=1 pid=30443 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="krb5kdc" exe="/usr/sbin/krb5kdc" subj=system_u:system_r: krb5kdc_t:s0 key=(null) Version-Release number of selected component (if applicable): krb5-server-1.10.3-5.fc18.x86_64 selinux-policy-3.11.1-46.fc18.noarch selinux-policy-targeted-3.11.1-46.fc18.noarch How reproducible: Steps to Reproduce: 1. Install freeipa-server package 2. Run ipa-server-install (it configures IPA including krb5kdc server) 3. Actual results: krb5kdc is successfully configured and running, authentication works, but this disturbing AVC is raised in audit.log Expected results: krb5kdc is successfully configured and running, authentication works, no AVC in audit.log. Additional info:
Moving to right Fedora version (rawhide->f18)
According to http://www.spinics.net/lists/selinux/msg12690.html (link from spoore@), the kernel's capability was renamed from epollwakeup to block_suspend, and as libverto's libev, libevent, and libtevent backends all use the epoll interfaces, I guess that's to be expected. Reassigning to selinux-policy.
Fixed in selinux-policy-3.11.1-51.fc18.noarch Nalin any other kerberos domains going to need this access?
At least kadmind will, though anything else that links with libverto (repoquery --whatrequires libverto to find their packages) will probably need it as well.
I added it also for kadmind
selinux-policy-3.11.1-57.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-57.fc18
Package selinux-policy-3.11.1-57.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-57.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-19374/selinux-policy-3.11.1-57.fc18 then log in and leave karma (feedback).
Package selinux-policy-3.11.1-59.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-59.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-19374/selinux-policy-3.11.1-59.fc18 then log in and leave karma (feedback).
Package selinux-policy-3.11.1-60.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-60.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-19374/selinux-policy-3.11.1-60.fc18 then log in and leave karma (feedback).
selinux-policy-3.11.1-60.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.