Problems with kerberos and SElinux
by Keith Sharp
Hello,
I am running into problem with krb5kdc and SELinux. Version
information:
selinux-policy-targeted-1.25.3-12
kernel-2.6.12-1.1398_FC4
krb5-server-1.4.1-5
I was working with SELinux targeted and enforcing but I was having
problems with kadmin so I decided to disable SELinux
using /etc/sysconfig/selinux and reboot. This solved my kadmin problem
so I decided to re-enable SELinux so that I could capture traces to
raise a bug.
When I rebooted with SELinux enabled krb5kdc failed to start and I had
the following in /var/log/audit/audit.log:
type=AVC msg=audit(1125672380.961:124865): avc: denied { getattr } for pid=1836 comm="krb5kdc" name="krb5kdc_rcache" dev=dm-0 ino=552323 scontext=root:system_r:krb5kdc_t tcontext=system_u:object_r:file_t tclass=file
type=SYSCALL msg=audit(1125672380.961:124865): arch=40000003 syscall=195 success=no exit=-13 a0=90a3af0 a1=bff5d968 a2=3a4ff4 a3=0 items=1 pid=1836 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="krb5kdc" exe="/usr/kerberos/sbin/krb5kdc"
type=AVC_PATH msg=audit(1125672380.961:124865): path="/var/tmp/krb5kdc_rcache"
type=CWD msg=audit(1125672380.961:124865): cwd="/"
type=PATH msg=audit(1125672380.961:124865): item=0 name="/var/tmp/krb5kdc_rcache" flags=1 inode=552323 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00
and in the log /var/log/krb5kdc.log:
krb5kdc: Permission denied in replay cache code - while initializing KDC
replay cache 'dfl:krb5kdc_rcache'
Is this a known issue, or should I Bugzilla it?
Thanks,
Keith.
17 years, 7 months
- 2
- 3
NeedHelp: Issue on change apache DocumentRoot location on FC3
by KevinKW
Hi,
I've changed the DocumentRoot directory of httpd 2.0.52 server from
/var/www/html to /data/www/html, which is mounted from the disk /dev/hda8.
But when I try to start httpd service, it reports warning "Warning:
DocumentRoot [/data/www/html/] does not exist".
I've changed its the security context by command "chcon -R -t
httpd_user_content_t /data/www" but it still didnot work.
The follows are the output by command "ls -Z /data/www"
=============
drwxr-xr-x kevinkw kevinkw user_u:object_r:httpd_user_content_t cgi-bin
drwxr-xr-x kevinkw kevinkw user_u:object_r:httpd_user_content_t error
drwxr-xr-x kevinkw kevinkw user_u:object_r:httpd_user_content_t html
drwxr-xr-x kevinkw kevinkw user_u:object_r:httpd_user_content_t icons
=============
How can I solve this problem? Any more information needed, please let me
know. Thanks very much!
Best wishes,
Kevin
17 years, 7 months
- 2
- 1
SELinux Symposium - Call for papers reminder
by SELinux Symposium Chair
This is a reminder that paper proposals for the Second Security Enhanced
Linux Symposium are due on September 19, 2005. For more information or
to submit your proposal please visit http://www.selinux-symposium.org/.
The full text of the call is included below for reference.
SECOND SECURITY ENHANCED LINUX SYMPOSIUM (www.selinux-symposium.org)
Call for Papers
The call for papers for the Second Security Enhanced Linux (SELinux)
Symposium is now open. The Symposium is scheduled for February 28-March
2, 2006, at the Wyndham Hotel, Baltimore, Maryland, USA. The event is
the only of its kind to examine SELinux and the power of the flexible
mandatory access control security it brings to Linux. Last year's
inaugural symposium was a tremendous success providing the SELinux
development and user community the opportunity to discuss related
research results, development plans, and applications.
Any topics relating to SELinux technology, flexible mandatory access
control, and its application to real-world problem are of interest for
this symposium. Such topic include:
+ Innovations and advancement in SELinux technology
+ Use and application of SELinux and Type Enforcement
+ SELinux development experiences and tools
+ Use and Configuration of MLS and RBAC in securing systems
+ Updates on the various Linux distributions using SELinux
+ Practical "root"-less system administration policies
+ Case studies and application experience SELinux
+ Related research and development activities
+ Tools and products supporting/using SELinux
+ Security evaluation and certification issues
+ User and customers concerns and needs
+ Tutorials
No marketing pitches will be accepted.
The call for papers is open until September 19, 2005. For additional
information and submittal requirements, see www.selinux-symposium.org.
Technical Committee:
Joshua Brindle, Tresys
Russell Coker, Red Hat
Chad Hanson, TCS
Trent Jaeger, Penn State University
Pete Loscocco, NSA
Karl MacMillan, Tresys
Frank Mayer (Chair), Tresys
James Morris, Red Hat
Doc Shankar, IBM
Stephen Smalley, NSA
Daniel Walsh, Red Hat
17 years, 7 months
- 1
- 0