Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
kerberos and selinux
11 views
Skip to first unread message
Chris Hecker
May 23, 2013, 2:23:40 AM5/23/13
to kerb...@mit.edu
I run with SELinux enabled, and krb5kdc and kadmin both want read access
to /etc/pki/tls on startup. I'm using ldaps as the protocol for talking
to slapd, is this why? This is on Centos 5, which I know is a bit old.
My KDC and kadmin work fine without allowing this access, and there's
nothing in krb5kdc.log or kadmind.log, just the AVC's in audit.log.
Should I enable these guys to read cert_t files, or should I ignore
them? If the latter, is there a configuration setting for making them
stop trying the directory?
Thanks,
Chris
Nalin Dahyabhai
May 23, 2013, 2:01:56 PM5/23/13
to Chris Hecker, kerb...@mit.edu
On Wed, May 22, 2013 at 11:23:40PM -0700, Chris Hecker wrote:
> I run with SELinux enabled, and krb5kdc and kadmin both want read access
> to /etc/pki/tls on startup. I'm using ldaps as the protocol for talking
> to slapd, is this why? This is on Centos 5, which I know is a bit old.
If your realm database is in slapd, then that sounds about right. The
> I run with SELinux enabled, and krb5kdc and kadmin both want read access
> to /etc/pki/tls on startup. I'm using ldaps as the protocol for talking
> to slapd, is this why? This is on Centos 5, which I know is a bit old.
only other place I'd guess it might have been accessed certificates was
if you were using PKINIT, but the now-obsolete module we included then
looked in /etc/pki/nssdb by default.
> My KDC and kadmin work fine without allowing this access, and there's
> nothing in krb5kdc.log or kadmind.log, just the AVC's in audit.log.
>
> Should I enable these guys to read cert_t files, or should I ignore
> them? If the latter, is there a configuration setting for making them
> stop trying the directory?
configuration would also label as cert_t, probably in error), I think
allowing the access is a better option. If your setup's working despite
the errors, you could also choose to not have those denials logged.
HTH,
Nalin
Elia Pinto
May 23, 2013, 2:59:58 PM5/23/13
to Chris Hecker, kerb...@mit.edu
It is a selinux question. So the selinux or the fedora selinux mailing
is a better place
to ask this questions.
Best
2013/5/23, Chris Hecker <che...@d6.com>:
> Chris
>
> ________________________________________________
> Kerberos mailing list Kerb...@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
--
Inviato dal mio dispositivo mobile
is a better place
to ask this questions.
Best
2013/5/23, Chris Hecker <che...@d6.com>:
>
> I run with SELinux enabled, and krb5kdc and kadmin both want read access
> to /etc/pki/tls on startup. I'm using ldaps as the protocol for talking
> to slapd, is this why? This is on Centos 5, which I know is a bit old.
>
> I run with SELinux enabled, and krb5kdc and kadmin both want read access
> to /etc/pki/tls on startup. I'm using ldaps as the protocol for talking
> to slapd, is this why? This is on Centos 5, which I know is a bit old.
>
> My KDC and kadmin work fine without allowing this access, and there's
> nothing in krb5kdc.log or kadmind.log, just the AVC's in audit.log.
>
> Should I enable these guys to read cert_t files, or should I ignore
> them? If the latter, is there a configuration setting for making them
> stop trying the directory?
>
> Thanks,
> nothing in krb5kdc.log or kadmind.log, just the AVC's in audit.log.
>
> Should I enable these guys to read cert_t files, or should I ignore
> them? If the latter, is there a configuration setting for making them
> stop trying the directory?
>
> Chris
>
> ________________________________________________
> Kerberos mailing list Kerb...@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
--
Inviato dal mio dispositivo mobile
0 new messages