[Freeipa-users] krb5-server-1.9-33.el6_3.3.x86_64 prevents named from starting when selinux is enforcing
Sigbjorn Lie
sigbjorn at nixtra.com
Thu Sep 20 19:59:34 UTC 2012
On 09/20/2012 12:08 AM, Rob Crittenden wrote:
> Sigbjorn Lie wrote:
>> On 09/19/2012 11:05 PM, Rob Crittenden wrote:
>>> Sigbjorn Lie wrote:
>>>> On 09/19/2012 10:48 PM, Rob Crittenden wrote:
>>>>> Sigbjorn Lie wrote:
>>>>>> Hi,
>>>>>>
>>>>>> I noticed an updated krb5-server package today advertising that it's
>>>>>> fixing the issue with slow GSSAPI binds discussed earlier, so I
>>>>>> installed it in my test environment, set SElinux back to
>>>>>> enforcing in
>>>>>> /etc/sysconfig/selinux and rebooted.
>>>>>>
>>>>>> The named daemon does not start now. The error below was logged in
>>>>>> /var/log/messages:
>>>>>>
>>>>>> Sep 19 21:54:46 ipa01 named[3712]: GSSAPI Error: Unspecified GSS
>>>>>> failure. Minor code may provide more information (KDC returned
>>>>>> error
>>>>>> string: PROCESS_TGS)
>>>>>>
>>>>>> I am able to start named after setting SElinux in permissive mode
>>>>>> (setenforce 0).
>>>>>>
>>>>>> Then to verify: I stop all IPA services (ipactl stop), reenabled
>>>>>> selinux
>>>>>> (setenforce 1), and start the IPA services (ipactl start). A new
>>>>>> error
>>>>>> is logged in /var/log/messages:
>>>>>>
>>>>>> Sep 19 22:00:49 ipa01 named[5918]: bind to LDAP server failed:
>>>>>> Invalid
>>>>>> credentials
>>>>>> Sep 19 22:00:49 ipa01 named[5918]: loading configuration: permission
>>>>>> denied
>>>>>> Sep 19 22:00:49 ipa01 named[5918]: exiting (due to fatal error)
>>>>>>
>>>>>>
>>>>>> From the /var/log/krb5kdc.log:
>>>>>> Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): TGS_REQ (4
>>>>>> etypes
>>>>>> {18 17 16 23}) 192.168.210.20: PROCESS_TGS: authtime 0, <unknown
>>>>>> client>
>>>>>> for <unknown server>, Cannot create replay cache file
>>>>>> /var/tmp/krbtgt_0:
>>>>>> File exists
>>>>>> Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): TGS_REQ (4
>>>>>> etypes
>>>>>> {18 17 16 23}) 192.168.210.20: PROCESS_TGS: authtime 0, <unknown
>>>>>> client>
>>>>>> for <unknown server>, Cannot create replay cache file
>>>>>> /var/tmp/krbtgt_0:
>>>>>> File exists
>>>>>> Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): AS_REQ (4
>>>>>> etypes
>>>>>> {18 17 16 23}) 192.168.210.20: NEEDED_PREAUTH:
>>>>>> DNS/ipa01.ix.test.com at IX.TEST.COM for
>>>>>> krbtgt/IX.TEST.COM at IX.TEST.COM,
>>>>>> Additional pre-authentication required
>>>>>> Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): AS_REQ (4
>>>>>> etypes
>>>>>> {18 17 16 23}) 192.168.210.20: ISSUE: authtime 1348084486, etypes
>>>>>> {rep=18 tkt=18 ses=18}, DNS/ipa01.ix.test.com at IX.TEST.COM for
>>>>>> krbtgt/IX.TEST.COM at IX.TEST.COM
>>>>>>
>>>>>> /var/named/data/named.run logged nothing.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Any suggestions for how to troubleshoot this issue?
>>>>>
>>>>> Pure guess, but:
>>>>>
>>>>> restorecon /var/tmp/krbtgt_0
>>>>>
>>>>> rob
>>>> Sorry, that did not help. There seem to be a new error in the messages
>>>> file every time I attempt a named restart though. See below for the
>>>> latest:
>>>>
>>>> Sep 19 23:01:27 ipa01 named[12638]: default realm from krb5.conf
>>>> (IX.TEST.COM) does not match tkey-gssapi-credential
>>>> (DNS/ipa01.ix.test.com)
>>>> Sep 19 23:01:27 ipa01 named[12638]: configuring TKEY: failure
>>>> Sep 19 23:01:27 ipa01 named[12638]: loading configuration: failure
>>>> Sep 19 23:01:27 ipa01 named[12638]: exiting (due to fatal error)
>>>
>>> I'd continue to check /var/log/audit/audit.log for AVCs.
>>>
>>> rob
>>>
>>
>> OK, I had a quick look before I'm off for today. :)
>>
>> There's a lot of these messages, denying named access to
>> /var/tmp/DNS_25.
>>
>>
>>
>> type=AVC msg=audit(1348086955.397:42404): avc: denied { getattr } for
>> pid=11648 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140
>> scontext=unconfined_u:system_r:named_t:s0
>> tcontext=system_u:object_r:tmp_t:s0 tclass=file
>> type=AVC msg=audit(1348086955.398:42405): avc: denied { read write }
>> for pid=11648 comm="named" name="DNS_25" dev=dm-2 ino=132140
>> scontext=unconfined_u:system_r:named_t:s0
>> tcontext=system_u:object_r:tmp_t:s0 tclass=file
>> type=AVC msg=audit(1348086955.398:42405): avc: denied { open } for
>> pid=11648 comm="named" name="DNS_25" dev=dm-2 ino=132140
>> scontext=unconfined_u:system_r:named_t:s0
>> tcontext=system_u:object_r:tmp_t:s0 tclass=file
>> type=AVC msg=audit(1348088487.524:42438): avc: denied { getattr } for
>> pid=12639 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140
>> scontext=unconfined_u:system_r:named_t:s0
>> tcontext=system_u:object_r:tmp_t:s0 tclass=file
>> type=AVC msg=audit(1348088487.524:42439): avc: denied { unlink } for
>> pid=12639 comm="named" name="DNS_25" dev=dm-2 ino=132140
>> scontext=unconfined_u:system_r:named_t:s0
>> tcontext=system_u:object_r:tmp_t:s0 tclass=file
>> type=AVC msg=audit(1348088487.525:42440): avc: denied { getattr } for
>> pid=12639 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140
>> scontext=unconfined_u:system_r:named_t:s0
>> tcontext=system_u:object_r:tmp_t:s0 tclass=file
>> type=AVC msg=audit(1348088487.525:42441): avc: denied { unlink } for
>> pid=12639 comm="named" name="DNS_25" dev=dm-2 ino=132140
>> scontext=unconfined_u:system_r:named_t:s0
>> tcontext=system_u:object_r:tmp_t:s0 tclass=file
>> type=AVC msg=audit(1348088487.525:42442): avc: denied { getattr } for
>> pid=12639 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140
>> scontext=unconfined_u:system_r:named_t:s0
>> tcontext=system_u:object_r:tmp_t:s0 tclass=file
>> type=AVC msg=audit(1348088487.525:42443): avc: denied { unlink } for
>> pid=12639 comm="named" name="DNS_25" dev=dm-2 ino=132140
>> scontext=unconfined_u:system_r:named_t:s0
>> tcontext=system_u:object_r:tmp_t:s0 tclass=file
>> type=AVC msg=audit(1348088487.525:42444): avc: denied { getattr } for
>> pid=12639 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140
>> scontext=unconfined_u:system_r:named_t:s0
>> tcontext=system_u:object_r:tmp_t:s0 tclass=file
>> type=AVC msg=audit(1348088487.526:42445): avc: denied { unlink } for
>> pid=12639 comm="named" name="DNS_25" dev=dm-2 ino=132140
>> scontext=unconfined_u:system_r:named_t:s0
>> tcontext=system_u:object_r:tmp_t:s0 tclass=file
>> type=AVC msg=audit(1348088487.526:42446): avc: denied { getattr } for
>> pid=12639 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140
>> scontext=unconfined_u:system_r:named_t:s0
>> tcontext=system_u:object_r:tmp_t:s0 tclass=file
>> type=AVC msg=audit(1348088487.526:42447): avc: denied { unlink } for
>> pid=12639 comm="named" name="DNS_25" dev=dm-2 ino=132140
>> scontext=unconfined_u:system_r:named_t:s0
>> tcontext=system_u:object_r:tmp_t:s0 tclass=file
>> type=AVC msg=audit(1348088493.161:42449): avc: denied { getattr } for
>> pid=12667 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140
>> scontext=unconfined_u:system_r:named_t:s0
>> tcontext=system_u:object_r:tmp_t:s0 tclass=file
>> type=AVC msg=audit(1348088493.162:42450): avc: denied { read write }
>> for pid=12667 comm="named" name="DNS_25" dev=dm-2 ino=132140
>> scontext=unconfined_u:system_r:named_t:s0
>> tcontext=system_u:object_r:tmp_t:s0 tclass=file
>> type=AVC msg=audit(1348088493.162:42450): avc: denied { open } for
>> pid=12667 comm="named" name="DNS_25" dev=dm-2 ino=132140
>> scontext=unconfined_u:system_r:named_t:s0
>> tcontext=system_u:object_r:tmp_t:s0 tclass=file
>>
>>
>>
>> I tried "restorecon /var/tmp/DNS_25", but the attributes looks the same
>> before and after:
>>
>> -rw-------. named named system_u:object_r:tmp_t:s0 DNS_25
>
> Ok, I'm not sure. Perhaps selinux-policy has an update available too?
>
> You may want to consider temporarily setting selinux to permissive
> while we sort this out if your system is otherwise unusable.
>
> rob
>
There is no more updates available for the system at all.
I've set selinux to permissive for now.
Please let me know when you know what else to troubleshoot. I have also
updated my RH support case with this thread.
Thanks.
Regards,
Siggi
More information about the Freeipa-users
mailing list