Why SELinux is preventing "/usr/sbin/krb5kdc" from write access on the sock_file pac ?
Issue
- Logging in to
IPA-serverusing anIPAbased account causes SELinux errors:
time->Tue Mar 8 08:37:42 2016
type=SYSCALL msg=audit(1457422662.900:7589): arch=c000003e syscall=42 success=no exit=-13 a0=d a1=7ffd670a2760 a2=6e a3=7f7bd52da7b8 items=0 ppid=1 pid=14018 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="krb5kdc" exe="/usr/sbin/krb5kdc" subj=system_u:system_r:krb5kdc_t:s0 key=(null)
type=AVC msg=audit(1457422662.900:7589): avc: denied { write } for pid=14018 comm="krb5kdc" name="pac" dev="dm-1" ino=9898481 scontext=system_u:system_r:krb5kdc_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=sock_file
----
time->Tue Mar 8 08:37:42 2016
type=SYSCALL msg=audit(1457422662.922:7590): arch=c000003e syscall=42 success=no exit=-13 a0=d a1=7ffd670a2760 a2=6e a3=0 items=0 ppid=1 pid=14018 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="krb5kdc" exe="/usr/sbin/krb5kdc" subj=system_u:system_r:krb5kdc_t:s0 key=(null)
type=AVC msg=audit(1457422662.922:7590): avc: denied { write } for pid=14018 comm="krb5kdc" name="pac" dev="dm-1" ino=9898481 scontext=system_u:system_r:krb5kdc_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=sock_file
- It happens always when logging in
Environment
Red Hat Enterprise Linux 7.2
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
