[Freeipa-users] krb5-server-1.9-33.el6_3.3.x86_64 prevents named from starting when selinux is enforcing

Sigbjorn Lie sigbjorn at nixtra.com
Thu Sep 20 19:59:34 UTC 2012 

On 09/20/2012 12:08 AM, Rob Crittenden wrote:
> Sigbjorn Lie wrote:
>> On 09/19/2012 11:05 PM, Rob Crittenden wrote:
>>> Sigbjorn Lie wrote:
>>>> On 09/19/2012 10:48 PM, Rob Crittenden wrote:
>>>>> Sigbjorn Lie wrote:
>>>>>> Hi,
>>>>>>
>>>>>> I noticed an updated krb5-server package today advertising that it's
>>>>>> fixing the issue with slow GSSAPI binds discussed earlier, so I
>>>>>> installed it in my test environment, set SElinux back to 
>>>>>> enforcing in
>>>>>> /etc/sysconfig/selinux and rebooted.
>>>>>>
>>>>>> The named daemon does not start now. The error below was logged in
>>>>>> /var/log/messages:
>>>>>>
>>>>>> Sep 19 21:54:46 ipa01 named[3712]: GSSAPI Error: Unspecified GSS
>>>>>> failure.  Minor code may provide more information (KDC returned 
>>>>>> error
>>>>>> string: PROCESS_TGS)
>>>>>>
>>>>>> I am able to start named after setting SElinux in permissive mode
>>>>>> (setenforce 0).
>>>>>>
>>>>>> Then to verify: I stop all IPA services (ipactl stop), reenabled
>>>>>> selinux
>>>>>> (setenforce 1), and start the IPA services (ipactl start). A new 
>>>>>> error
>>>>>> is logged in /var/log/messages:
>>>>>>
>>>>>> Sep 19 22:00:49 ipa01 named[5918]: bind to LDAP server failed: 
>>>>>> Invalid
>>>>>> credentials
>>>>>> Sep 19 22:00:49 ipa01 named[5918]: loading configuration: permission
>>>>>> denied
>>>>>> Sep 19 22:00:49 ipa01 named[5918]: exiting (due to fatal error)
>>>>>>
>>>>>>
>>>>>>  From the /var/log/krb5kdc.log:
>>>>>> Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): TGS_REQ (4
>>>>>> etypes
>>>>>> {18 17 16 23}) 192.168.210.20: PROCESS_TGS: authtime 0, <unknown
>>>>>> client>
>>>>>> for <unknown server>, Cannot create replay cache file
>>>>>> /var/tmp/krbtgt_0:
>>>>>> File exists
>>>>>> Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): TGS_REQ (4
>>>>>> etypes
>>>>>> {18 17 16 23}) 192.168.210.20: PROCESS_TGS: authtime 0, <unknown
>>>>>> client>
>>>>>> for <unknown server>, Cannot create replay cache file
>>>>>> /var/tmp/krbtgt_0:
>>>>>> File exists
>>>>>> Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): AS_REQ (4
>>>>>> etypes
>>>>>> {18 17 16 23}) 192.168.210.20: NEEDED_PREAUTH:
>>>>>> DNS/ipa01.ix.test.com at IX.TEST.COM for 
>>>>>> krbtgt/IX.TEST.COM at IX.TEST.COM,
>>>>>> Additional pre-authentication required
>>>>>> Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): AS_REQ (4
>>>>>> etypes
>>>>>> {18 17 16 23}) 192.168.210.20: ISSUE: authtime 1348084486, etypes
>>>>>> {rep=18 tkt=18 ses=18}, DNS/ipa01.ix.test.com at IX.TEST.COM for
>>>>>> krbtgt/IX.TEST.COM at IX.TEST.COM
>>>>>>
>>>>>> /var/named/data/named.run logged nothing.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Any suggestions for how to troubleshoot this issue?
>>>>>
>>>>> Pure guess, but:
>>>>>
>>>>> restorecon /var/tmp/krbtgt_0
>>>>>
>>>>> rob
>>>> Sorry, that did not help. There seem to be a new error in the messages
>>>> file every time I attempt a named restart though. See below for the
>>>> latest:
>>>>
>>>> Sep 19 23:01:27 ipa01 named[12638]: default realm from krb5.conf
>>>> (IX.TEST.COM) does not match tkey-gssapi-credential
>>>> (DNS/ipa01.ix.test.com)
>>>> Sep 19 23:01:27 ipa01 named[12638]: configuring TKEY: failure
>>>> Sep 19 23:01:27 ipa01 named[12638]: loading configuration: failure
>>>> Sep 19 23:01:27 ipa01 named[12638]: exiting (due to fatal error)
>>>
>>> I'd continue to check /var/log/audit/audit.log for AVCs.
>>>
>>> rob
>>>
>>
>> OK, I had a quick look before I'm off for today. :)
>>
>> There's a lot of these messages, denying named access to 
>> /var/tmp/DNS_25.
>>
>>
>>
>> type=AVC msg=audit(1348086955.397:42404): avc:  denied  { getattr } for
>> pid=11648 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140
>> scontext=unconfined_u:system_r:named_t:s0
>> tcontext=system_u:object_r:tmp_t:s0 tclass=file
>> type=AVC msg=audit(1348086955.398:42405): avc:  denied  { read write }
>> for  pid=11648 comm="named" name="DNS_25" dev=dm-2 ino=132140
>> scontext=unconfined_u:system_r:named_t:s0
>> tcontext=system_u:object_r:tmp_t:s0 tclass=file
>> type=AVC msg=audit(1348086955.398:42405): avc:  denied  { open } for
>> pid=11648 comm="named" name="DNS_25" dev=dm-2 ino=132140
>> scontext=unconfined_u:system_r:named_t:s0
>> tcontext=system_u:object_r:tmp_t:s0 tclass=file
>> type=AVC msg=audit(1348088487.524:42438): avc:  denied  { getattr } for
>> pid=12639 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140
>> scontext=unconfined_u:system_r:named_t:s0
>> tcontext=system_u:object_r:tmp_t:s0 tclass=file
>> type=AVC msg=audit(1348088487.524:42439): avc:  denied  { unlink } for
>> pid=12639 comm="named" name="DNS_25" dev=dm-2 ino=132140
>> scontext=unconfined_u:system_r:named_t:s0
>> tcontext=system_u:object_r:tmp_t:s0 tclass=file
>> type=AVC msg=audit(1348088487.525:42440): avc:  denied  { getattr } for
>> pid=12639 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140
>> scontext=unconfined_u:system_r:named_t:s0
>> tcontext=system_u:object_r:tmp_t:s0 tclass=file
>> type=AVC msg=audit(1348088487.525:42441): avc:  denied  { unlink } for
>> pid=12639 comm="named" name="DNS_25" dev=dm-2 ino=132140
>> scontext=unconfined_u:system_r:named_t:s0
>> tcontext=system_u:object_r:tmp_t:s0 tclass=file
>> type=AVC msg=audit(1348088487.525:42442): avc:  denied  { getattr } for
>> pid=12639 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140
>> scontext=unconfined_u:system_r:named_t:s0
>> tcontext=system_u:object_r:tmp_t:s0 tclass=file
>> type=AVC msg=audit(1348088487.525:42443): avc:  denied  { unlink } for
>> pid=12639 comm="named" name="DNS_25" dev=dm-2 ino=132140
>> scontext=unconfined_u:system_r:named_t:s0
>> tcontext=system_u:object_r:tmp_t:s0 tclass=file
>> type=AVC msg=audit(1348088487.525:42444): avc:  denied  { getattr } for
>> pid=12639 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140
>> scontext=unconfined_u:system_r:named_t:s0
>> tcontext=system_u:object_r:tmp_t:s0 tclass=file
>> type=AVC msg=audit(1348088487.526:42445): avc:  denied  { unlink } for
>> pid=12639 comm="named" name="DNS_25" dev=dm-2 ino=132140
>> scontext=unconfined_u:system_r:named_t:s0
>> tcontext=system_u:object_r:tmp_t:s0 tclass=file
>> type=AVC msg=audit(1348088487.526:42446): avc:  denied  { getattr } for
>> pid=12639 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140
>> scontext=unconfined_u:system_r:named_t:s0
>> tcontext=system_u:object_r:tmp_t:s0 tclass=file
>> type=AVC msg=audit(1348088487.526:42447): avc:  denied  { unlink } for
>> pid=12639 comm="named" name="DNS_25" dev=dm-2 ino=132140
>> scontext=unconfined_u:system_r:named_t:s0
>> tcontext=system_u:object_r:tmp_t:s0 tclass=file
>> type=AVC msg=audit(1348088493.161:42449): avc:  denied  { getattr } for
>> pid=12667 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140
>> scontext=unconfined_u:system_r:named_t:s0
>> tcontext=system_u:object_r:tmp_t:s0 tclass=file
>> type=AVC msg=audit(1348088493.162:42450): avc:  denied  { read write }
>> for  pid=12667 comm="named" name="DNS_25" dev=dm-2 ino=132140
>> scontext=unconfined_u:system_r:named_t:s0
>> tcontext=system_u:object_r:tmp_t:s0 tclass=file
>> type=AVC msg=audit(1348088493.162:42450): avc:  denied  { open } for
>> pid=12667 comm="named" name="DNS_25" dev=dm-2 ino=132140
>> scontext=unconfined_u:system_r:named_t:s0
>> tcontext=system_u:object_r:tmp_t:s0 tclass=file
>>
>>
>>
>> I tried "restorecon /var/tmp/DNS_25", but the attributes looks the same
>> before and after:
>>
>> -rw-------. named  named  system_u:object_r:tmp_t:s0 DNS_25
>
> Ok, I'm not sure. Perhaps selinux-policy has an update available too?
>
> You may want to consider temporarily setting selinux to permissive 
> while we sort this out if your system is otherwise unusable.
>
> rob
>
There is no more updates available for the system at all.

I've set selinux to permissive for now.

Please let me know when you know what else to troubleshoot. I have also 
updated my RH support case with this thread.

Thanks.


Regards,
Siggi

More information about the Freeipa-users mailing list