[Freeipa-users] krb5-server-1.9-33.el6_3.3.x86_64 prevents named from starting when selinux is enforcing

Rob Crittenden rcritten at redhat.com
Wed Sep 19 22:08:34 UTC 2012 

Sigbjorn Lie wrote:
> On 09/19/2012 11:05 PM, Rob Crittenden wrote:
>> Sigbjorn Lie wrote:
>>> On 09/19/2012 10:48 PM, Rob Crittenden wrote:
>>>> Sigbjorn Lie wrote:
>>>>> Hi,
>>>>>
>>>>> I noticed an updated krb5-server package today advertising that it's
>>>>> fixing the issue with slow GSSAPI binds discussed earlier, so I
>>>>> installed it in my test environment, set SElinux back to enforcing in
>>>>> /etc/sysconfig/selinux and rebooted.
>>>>>
>>>>> The named daemon does not start now. The error below was logged in
>>>>> /var/log/messages:
>>>>>
>>>>> Sep 19 21:54:46 ipa01 named[3712]: GSSAPI Error: Unspecified GSS
>>>>> failure.  Minor code may provide more information (KDC returned error
>>>>> string: PROCESS_TGS)
>>>>>
>>>>> I am able to start named after setting SElinux in permissive mode
>>>>> (setenforce 0).
>>>>>
>>>>> Then to verify: I stop all IPA services (ipactl stop), reenabled
>>>>> selinux
>>>>> (setenforce 1), and start the IPA services (ipactl start). A new error
>>>>> is logged in /var/log/messages:
>>>>>
>>>>> Sep 19 22:00:49 ipa01 named[5918]: bind to LDAP server failed: Invalid
>>>>> credentials
>>>>> Sep 19 22:00:49 ipa01 named[5918]: loading configuration: permission
>>>>> denied
>>>>> Sep 19 22:00:49 ipa01 named[5918]: exiting (due to fatal error)
>>>>>
>>>>>
>>>>>  From the /var/log/krb5kdc.log:
>>>>> Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): TGS_REQ (4
>>>>> etypes
>>>>> {18 17 16 23}) 192.168.210.20: PROCESS_TGS: authtime 0, <unknown
>>>>> client>
>>>>> for <unknown server>, Cannot create replay cache file
>>>>> /var/tmp/krbtgt_0:
>>>>> File exists
>>>>> Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): TGS_REQ (4
>>>>> etypes
>>>>> {18 17 16 23}) 192.168.210.20: PROCESS_TGS: authtime 0, <unknown
>>>>> client>
>>>>> for <unknown server>, Cannot create replay cache file
>>>>> /var/tmp/krbtgt_0:
>>>>> File exists
>>>>> Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): AS_REQ (4
>>>>> etypes
>>>>> {18 17 16 23}) 192.168.210.20: NEEDED_PREAUTH:
>>>>> DNS/ipa01.ix.test.com at IX.TEST.COM for krbtgt/IX.TEST.COM at IX.TEST.COM,
>>>>> Additional pre-authentication required
>>>>> Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): AS_REQ (4
>>>>> etypes
>>>>> {18 17 16 23}) 192.168.210.20: ISSUE: authtime 1348084486, etypes
>>>>> {rep=18 tkt=18 ses=18}, DNS/ipa01.ix.test.com at IX.TEST.COM for
>>>>> krbtgt/IX.TEST.COM at IX.TEST.COM
>>>>>
>>>>> /var/named/data/named.run logged nothing.
>>>>>
>>>>>
>>>>>
>>>>> Any suggestions for how to troubleshoot this issue?
>>>>
>>>> Pure guess, but:
>>>>
>>>> restorecon /var/tmp/krbtgt_0
>>>>
>>>> rob
>>> Sorry, that did not help. There seem to be a new error in the messages
>>> file every time I attempt a named restart though. See below for the
>>> latest:
>>>
>>> Sep 19 23:01:27 ipa01 named[12638]: default realm from krb5.conf
>>> (IX.TEST.COM) does not match tkey-gssapi-credential
>>> (DNS/ipa01.ix.test.com)
>>> Sep 19 23:01:27 ipa01 named[12638]: configuring TKEY: failure
>>> Sep 19 23:01:27 ipa01 named[12638]: loading configuration: failure
>>> Sep 19 23:01:27 ipa01 named[12638]: exiting (due to fatal error)
>>
>> I'd continue to check /var/log/audit/audit.log for AVCs.
>>
>> rob
>>
>
> OK, I had a quick look before I'm off for today. :)
>
> There's a lot of these messages, denying named access to /var/tmp/DNS_25.
>
>
>
> type=AVC msg=audit(1348086955.397:42404): avc:  denied  { getattr } for
> pid=11648 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140
> scontext=unconfined_u:system_r:named_t:s0
> tcontext=system_u:object_r:tmp_t:s0 tclass=file
> type=AVC msg=audit(1348086955.398:42405): avc:  denied  { read write }
> for  pid=11648 comm="named" name="DNS_25" dev=dm-2 ino=132140
> scontext=unconfined_u:system_r:named_t:s0
> tcontext=system_u:object_r:tmp_t:s0 tclass=file
> type=AVC msg=audit(1348086955.398:42405): avc:  denied  { open } for
> pid=11648 comm="named" name="DNS_25" dev=dm-2 ino=132140
> scontext=unconfined_u:system_r:named_t:s0
> tcontext=system_u:object_r:tmp_t:s0 tclass=file
> type=AVC msg=audit(1348088487.524:42438): avc:  denied  { getattr } for
> pid=12639 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140
> scontext=unconfined_u:system_r:named_t:s0
> tcontext=system_u:object_r:tmp_t:s0 tclass=file
> type=AVC msg=audit(1348088487.524:42439): avc:  denied  { unlink } for
> pid=12639 comm="named" name="DNS_25" dev=dm-2 ino=132140
> scontext=unconfined_u:system_r:named_t:s0
> tcontext=system_u:object_r:tmp_t:s0 tclass=file
> type=AVC msg=audit(1348088487.525:42440): avc:  denied  { getattr } for
> pid=12639 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140
> scontext=unconfined_u:system_r:named_t:s0
> tcontext=system_u:object_r:tmp_t:s0 tclass=file
> type=AVC msg=audit(1348088487.525:42441): avc:  denied  { unlink } for
> pid=12639 comm="named" name="DNS_25" dev=dm-2 ino=132140
> scontext=unconfined_u:system_r:named_t:s0
> tcontext=system_u:object_r:tmp_t:s0 tclass=file
> type=AVC msg=audit(1348088487.525:42442): avc:  denied  { getattr } for
> pid=12639 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140
> scontext=unconfined_u:system_r:named_t:s0
> tcontext=system_u:object_r:tmp_t:s0 tclass=file
> type=AVC msg=audit(1348088487.525:42443): avc:  denied  { unlink } for
> pid=12639 comm="named" name="DNS_25" dev=dm-2 ino=132140
> scontext=unconfined_u:system_r:named_t:s0
> tcontext=system_u:object_r:tmp_t:s0 tclass=file
> type=AVC msg=audit(1348088487.525:42444): avc:  denied  { getattr } for
> pid=12639 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140
> scontext=unconfined_u:system_r:named_t:s0
> tcontext=system_u:object_r:tmp_t:s0 tclass=file
> type=AVC msg=audit(1348088487.526:42445): avc:  denied  { unlink } for
> pid=12639 comm="named" name="DNS_25" dev=dm-2 ino=132140
> scontext=unconfined_u:system_r:named_t:s0
> tcontext=system_u:object_r:tmp_t:s0 tclass=file
> type=AVC msg=audit(1348088487.526:42446): avc:  denied  { getattr } for
> pid=12639 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140
> scontext=unconfined_u:system_r:named_t:s0
> tcontext=system_u:object_r:tmp_t:s0 tclass=file
> type=AVC msg=audit(1348088487.526:42447): avc:  denied  { unlink } for
> pid=12639 comm="named" name="DNS_25" dev=dm-2 ino=132140
> scontext=unconfined_u:system_r:named_t:s0
> tcontext=system_u:object_r:tmp_t:s0 tclass=file
> type=AVC msg=audit(1348088493.161:42449): avc:  denied  { getattr } for
> pid=12667 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140
> scontext=unconfined_u:system_r:named_t:s0
> tcontext=system_u:object_r:tmp_t:s0 tclass=file
> type=AVC msg=audit(1348088493.162:42450): avc:  denied  { read write }
> for  pid=12667 comm="named" name="DNS_25" dev=dm-2 ino=132140
> scontext=unconfined_u:system_r:named_t:s0
> tcontext=system_u:object_r:tmp_t:s0 tclass=file
> type=AVC msg=audit(1348088493.162:42450): avc:  denied  { open } for
> pid=12667 comm="named" name="DNS_25" dev=dm-2 ino=132140
> scontext=unconfined_u:system_r:named_t:s0
> tcontext=system_u:object_r:tmp_t:s0 tclass=file
>
>
>
> I tried "restorecon /var/tmp/DNS_25", but the attributes looks the same
> before and after:
>
> -rw-------. named  named  system_u:object_r:tmp_t:s0       DNS_25

Ok, I'm not sure. Perhaps selinux-policy has an update available too?

You may want to consider temporarily setting selinux to permissive while 
we sort this out if your system is otherwise unusable.

rob

More information about the Freeipa-users mailing list