[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Freeipa-users] krb5-server-1.9-33.el6_3.3.x86_64 prevents named from starting when selinux is enforcing



On 09/20/2012 10:17 PM, Rob Crittenden wrote:
Sigbjorn Lie wrote:
On 09/20/2012 12:08 AM, Rob Crittenden wrote:
Sigbjorn Lie wrote:
On 09/19/2012 11:05 PM, Rob Crittenden wrote:
Sigbjorn Lie wrote:
On 09/19/2012 10:48 PM, Rob Crittenden wrote:
Sigbjorn Lie wrote:
Hi,

I noticed an updated krb5-server package today advertising that it's
fixing the issue with slow GSSAPI binds discussed earlier, so I
installed it in my test environment, set SElinux back to
enforcing in
/etc/sysconfig/selinux and rebooted.

The named daemon does not start now. The error below was logged in
/var/log/messages:

Sep 19 21:54:46 ipa01 named[3712]: GSSAPI Error: Unspecified GSS
failure.  Minor code may provide more information (KDC returned
error
string: PROCESS_TGS)

I am able to start named after setting SElinux in permissive mode
(setenforce 0).

Then to verify: I stop all IPA services (ipactl stop), reenabled
selinux
(setenforce 1), and start the IPA services (ipactl start). A new
error
is logged in /var/log/messages:

Sep 19 22:00:49 ipa01 named[5918]: bind to LDAP server failed:
Invalid
credentials
Sep 19 22:00:49 ipa01 named[5918]: loading configuration: permission
denied
Sep 19 22:00:49 ipa01 named[5918]: exiting (due to fatal error)


 From the /var/log/krb5kdc.log:
Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): TGS_REQ (4
etypes
{18 17 16 23}) 192.168.210.20: PROCESS_TGS: authtime 0, <unknown
client>
for <unknown server>, Cannot create replay cache file
/var/tmp/krbtgt_0:
File exists
Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): TGS_REQ (4
etypes
{18 17 16 23}) 192.168.210.20: PROCESS_TGS: authtime 0, <unknown
client>
for <unknown server>, Cannot create replay cache file
/var/tmp/krbtgt_0:
File exists
Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): AS_REQ (4
etypes
{18 17 16 23}) 192.168.210.20: NEEDED_PREAUTH:
DNS/ipa01 ix test com IX TEST COM for
krbtgt/IX TEST COM IX TEST COM,
Additional pre-authentication required
Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): AS_REQ (4
etypes
{18 17 16 23}) 192.168.210.20: ISSUE: authtime 1348084486, etypes
{rep=18 tkt=18 ses=18}, DNS/ipa01 ix test com IX TEST COM for
krbtgt/IX TEST COM IX TEST COM

/var/named/data/named.run logged nothing.



Any suggestions for how to troubleshoot this issue?

Pure guess, but:

restorecon /var/tmp/krbtgt_0

rob
Sorry, that did not help. There seem to be a new error in the messages
file every time I attempt a named restart though. See below for the
latest:

Sep 19 23:01:27 ipa01 named[12638]: default realm from krb5.conf
(IX.TEST.COM) does not match tkey-gssapi-credential
(DNS/ipa01.ix.test.com)
Sep 19 23:01:27 ipa01 named[12638]: configuring TKEY: failure
Sep 19 23:01:27 ipa01 named[12638]: loading configuration: failure
Sep 19 23:01:27 ipa01 named[12638]: exiting (due to fatal error)

I'd continue to check /var/log/audit/audit.log for AVCs.

rob


OK, I had a quick look before I'm off for today. :)

There's a lot of these messages, denying named access to
/var/tmp/DNS_25.



type=AVC msg=audit(1348086955.397:42404): avc: denied { getattr } for
pid=11648 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140
scontext=unconfined_u:system_r:named_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1348086955.398:42405): avc:  denied  { read write }
for  pid=11648 comm="named" name="DNS_25" dev=dm-2 ino=132140
scontext=unconfined_u:system_r:named_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1348086955.398:42405): avc:  denied  { open } for
pid=11648 comm="named" name="DNS_25" dev=dm-2 ino=132140
scontext=unconfined_u:system_r:named_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1348088487.524:42438): avc: denied { getattr } for
pid=12639 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140
scontext=unconfined_u:system_r:named_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1348088487.524:42439): avc:  denied  { unlink } for
pid=12639 comm="named" name="DNS_25" dev=dm-2 ino=132140
scontext=unconfined_u:system_r:named_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1348088487.525:42440): avc: denied { getattr } for
pid=12639 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140
scontext=unconfined_u:system_r:named_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1348088487.525:42441): avc:  denied  { unlink } for
pid=12639 comm="named" name="DNS_25" dev=dm-2 ino=132140
scontext=unconfined_u:system_r:named_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1348088487.525:42442): avc: denied { getattr } for
pid=12639 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140
scontext=unconfined_u:system_r:named_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1348088487.525:42443): avc:  denied  { unlink } for
pid=12639 comm="named" name="DNS_25" dev=dm-2 ino=132140
scontext=unconfined_u:system_r:named_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1348088487.525:42444): avc: denied { getattr } for
pid=12639 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140
scontext=unconfined_u:system_r:named_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1348088487.526:42445): avc:  denied  { unlink } for
pid=12639 comm="named" name="DNS_25" dev=dm-2 ino=132140
scontext=unconfined_u:system_r:named_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1348088487.526:42446): avc: denied { getattr } for
pid=12639 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140
scontext=unconfined_u:system_r:named_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1348088487.526:42447): avc:  denied  { unlink } for
pid=12639 comm="named" name="DNS_25" dev=dm-2 ino=132140
scontext=unconfined_u:system_r:named_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1348088493.161:42449): avc: denied { getattr } for
pid=12667 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140
scontext=unconfined_u:system_r:named_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1348088493.162:42450): avc:  denied  { read write }
for  pid=12667 comm="named" name="DNS_25" dev=dm-2 ino=132140
scontext=unconfined_u:system_r:named_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1348088493.162:42450): avc:  denied  { open } for
pid=12667 comm="named" name="DNS_25" dev=dm-2 ino=132140
scontext=unconfined_u:system_r:named_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=file



I tried "restorecon /var/tmp/DNS_25", but the attributes looks the same
before and after:

-rw-------. named  named  system_u:object_r:tmp_t:s0 DNS_25

Ok, I'm not sure. Perhaps selinux-policy has an update available too?

You may want to consider temporarily setting selinux to permissive
while we sort this out if your system is otherwise unusable.

rob

There is no more updates available for the system at all.

I've set selinux to permissive for now.

Please let me know when you know what else to troubleshoot. I have also
updated my RH support case with this thread.

bind isn't my strongest suite.

My guess is that this file is the ccache for bind. I'm guessing that 25 is the UID of the named user. If this is the case, then it should be safe to stop named, rename the file, and restart. Perhaps the contexts have changed so when this gets re-created it will get fixed automagically.

rob

You guessed well!! :)

Stop named:
# service named stop

Enable selinux:
# setenforce 1

Verify that error still exists:
# service named start
Starting named:                                            [FAILED]

Rename file:
# cd /var/tmp
# mv DNS_25 DNS_25_old

Attempt to start named again:
# service named start
Starting named:                                            [  OK  ]

Voila!

A before and after shot:
# ls -lZ DNS_25*
-rw-------. named named unconfined_u:object_r:named_tmp_t:s0 DNS_25
-rw-------. named named system_u:object_r:tmp_t:s0       DNS_25_old

What's the odds that this was the entire issue and that named will now keep running safe and sound?


Regards,
Siggi



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]