Ah well,, At least you got a reproducer for that one as well now :-P
Rob
2017-04-03 22:35 GMT+02:00 Simo Sorce simo@redhat.com:
On Mon, 2017-04-03 at 21:36 +0200, Rob Verduijn wrote:
Hello,
I recreated the reproducer environment and tried it with only the keytab relocation so I added the following steps: mkdir /var/kerberos/krb5/user/48/ cp /var/lib/gssproxy/clients/httpd.keytab /var/kerberos/krb5/user/48/ client.keytab chcon -t krb5_keytab_t /var/kerberos/krb5/user/48/client.keytab chown apache:apache /var/kerberos/krb5/user/48/client.keytab systemctl restart gssproxy.service
and the nfs mount is readable by the apache user su - apache -s /bin/bash ls /test example.txt
[root@fedoraclient ~]# getenforce Enforcing
so I guess we are incorrectly blaming selinux for this, but it should be : https://pagure.io/gssproxy/issue/178
We definitely reproduced the SeLinux issue. Both issues are at play here.
Simo.
-- Simo Sorce Sr. Principal Software Engineer Red Hat, Inc
gss-proxy mailing list -- gss-proxy@lists.fedorahosted.org To unsubscribe send an email to gss-proxy-leave@lists.fedorahosted.org