I'm trying to get all of this fancy kerberized NFS stuff working and I'm
having a problem where credential forwarding via ssh doesn't work due to
selinux. Running fully update Fedora 21
(selinux-policy-targeted-3.13.1-103.fc21.noarch,
kernel-3.18.3-201.fc21.x86_64) I get the following AVCs:
time->Thu Jan 29 20:25:18 2015
type=AVC msg=audit(1422584718.991:278): avc: denied { read } for
pid=1272 comm="sshd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:gssd_t:s0 tclass=key permissive=0
----
time->Thu Jan 29 20:25:18 2015
type=AVC msg=audit(1422584718.991:279): avc: denied { write } for
pid=1272 comm="sshd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:gssd_t:s0 tclass=key permissive=0
And sshd logs a failure:
Jan 29 20:30:00
ld82.e.math.uh.edu sshd[1464]: debug1: temporarily_use_uid: 7225/7225
(e=0/0)
Jan 29 20:30:00
ld82.e.math.uh.edu sshd[1464]: debug1: ssh_krb5_cc_gen: Setting ccname to
KEYRING:persistent:7225
Jan 29 20:30:00
ld82.e.math.uh.edu sshd[1464]: krb5_cc_initialize(): Permission denied
Jan 29 20:30:00
ld82.e.math.uh.edu sshd[1464]: debug1: restore_uid: 0/0
I don't know what causes this; sometimes it just starts working randomly
(and the AVCs go away). I don't know if this is a bug or if I'm doing
something wrong. If I disable selinux (setenforce 0) it immediately
starts working.
- J<