Why SELinux is preventing "/usr/sbin/krb5kdc" from write access on the sock_file pac ?

Solution Verified - Updated -

Issue

  • Logging in to IPA-server using an IPA based account causes SELinux errors:
time->Tue Mar  8 08:37:42 2016
type=SYSCALL msg=audit(1457422662.900:7589): arch=c000003e syscall=42 success=no exit=-13 a0=d a1=7ffd670a2760 a2=6e a3=7f7bd52da7b8 items=0 ppid=1 pid=14018 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="krb5kdc" exe="/usr/sbin/krb5kdc" subj=system_u:system_r:krb5kdc_t:s0 key=(null)
type=AVC msg=audit(1457422662.900:7589): avc:  denied  { write } for  pid=14018 comm="krb5kdc" name="pac" dev="dm-1" ino=9898481 scontext=system_u:system_r:krb5kdc_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=sock_file
----
time->Tue Mar  8 08:37:42 2016
type=SYSCALL msg=audit(1457422662.922:7590): arch=c000003e syscall=42 success=no exit=-13 a0=d a1=7ffd670a2760 a2=6e a3=0 items=0 ppid=1 pid=14018 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="krb5kdc" exe="/usr/sbin/krb5kdc" subj=system_u:system_r:krb5kdc_t:s0 key=(null)
type=AVC msg=audit(1457422662.922:7590): avc:  denied  { write } for  pid=14018 comm="krb5kdc" name="pac" dev="dm-1" ino=9898481 scontext=system_u:system_r:krb5kdc_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=sock_file
  • It happens always when logging in

Environment

  • Red Hat Enterprise Linux 7.2

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content