Problems with kerberos and SElinux
Stephen Smalley
sds at tycho.nsa.gov
Fri Sep 2 16:07:52 UTC 2005
On Fri, 2005-09-02 at 16:37 +0100, Keith Sharp wrote:
> Looks like the file /var/tmp/krb5kdc_rcache doesn't have a security
> context:
>
> [root at server ~]# ls -alZ /var/tmp/
> drwxrwxrwt root root system_u:object_r:tmp_t .
> drwxr-xr-x root root system_u:object_r:var_t ..
> -rw------- root root root:object_r:kadmind_tmp_t kadmin_0
> -rw------- root root krb5kdc_rcache
>
> How should I go about fixing this?
This is a result of previously booting with SELinux disabled; while
SELinux is disabled, any files created won't be assigned security
contexts. Switching to permissive mode is better than disabling SELinux
entirely, and can be done temporarily with /usr/sbin/setenforce 0
without needing to touch /etc/selinux/config or reboot. That continues
to label files but allows all accesses and just logs the denials for
review in the audit.log.
Assuming that this file is just a temporary cache, I'd suggest removing
it (or moving it aside), and then restart the process that created it in
the first place with SELinux enabled (but permissive, if necessary).
Possibly fixfiles relabel needs to purge /var/tmp as well as /tmp?
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list