Author: Jacob Shivers <jshivers(a)redhat.com>
Date: 2022-03-08 (Tue, 08 Mar 2022)
KRB5_TRACE documentation for gssproxy
Added KRB5_TRACE.md to provide a brief overview on how to enable low
level Kerberos tracing below gssapi via KRB5_TRACE.
Updated gssproxy.conf man page to cite newly added doc when mentioning
Signed-off-by: Jacob Shivers <jacob.shivers(a)redhat.com>
I recently was working on an issue that required looking at kerberos
functions below the gssapi layer. By setting KRB5_TRACE output I was
able to narrow down the issue.
To do this I created a drop file for the gssproxy systemd service
instead of starting the process at the command line. The drop file
designated KRB5_TRACE output to a file under /var/log. This testing
was on a system that uses SELinux so it was necessary to either create
a custom SELinux policy module or set SELinux to permissive.
The policy is relatively non-invasive:
(allow gssproxy_t var_log_t (dir ( write add_name )))
(allow gssproxy_t var_log_t (file ( create open )))
I am curious as to what others think about proper documentation.
Namely adding a small blurb to a man page or adding/extending a file
in gssproxy/docs. As there does not have to be a standard location to
direct the KRB5_TRACE output, I don't see it necessary to modify
selinux-policy with fixed entries.