On Mon, 2017-04-03 at 21:36 +0200, Rob Verduijn wrote:
I recreated the reproducer environment and tried it with only the keytab
so I added the following steps:
cp /var/lib/gssproxy/clients/httpd.keytab /var/kerberos/krb5/user/48/
chcon -t krb5_keytab_t /var/kerberos/krb5/user/48/client.keytab
chown apache:apache /var/kerberos/krb5/user/48/client.keytab
systemctl restart gssproxy.service
and the nfs mount is readable by the apache user
su - apache -s /bin/bash
[root@fedoraclient ~]# getenforce
so I guess we are incorrectly blaming selinux for this,
but it should be :
We definitely reproduced the SeLinux issue.
Both issues are at play here.
Sr. Principal Software Engineer
Red Hat, Inc