Kadmind dies after startup on FC14 x64 arch

Simo Sorce ssorce at redhat.com
Mon Mar 14 15:02:13 EDT 2011


On Mon, 14 Mar 2011 16:22:25 +0000
Brian Candler <B.Candler at pobox.com> wrote:

> On Sun, Mar 13, 2011 at 12:15:41PM -0500, Maple Thorpe wrote:
> > Service kadmin is started as root user but kadmind dies
> > and /var/log/kadmin.log contains message "Permission denied while
> > mapping update log ('var/kerberos/krb5kdc/principal.ulog').
> 
> "Permission denied" while things are running as root suggests it
> could be a problem with SELINUX.  You could try turning it off
> globally to see if that fixes the problem.

It seem like this is a possible explanation.

Check /var/log/audit/audit.log to see if there are any denials when the
kadmind service is started through the "service" tool.

(if manually run by root it will run as unconfined and may not show the
issue).

If audit.log report denials you can open a bug in fedora against the
selinux policy and temporarily swith selinux in permissive mode by
running 'setenforce 0', or you can use the uadit2allow tool to create
temporary local policy.

> > open("/var/kerberos/krb5kdc/principal.ulog", O_RDWR) = 15
> 
> You're right, that looks successful. Are you saying that kadmind
> behaves differently if you run it under strace? Or do you still get
> the permission denied error logged, possibly this one:

This would be in line with an selinux denial, as running under starce
would seem to mean it was run interactively by the user root which is
normally unconfined and therefore also the daemon would be run as
unconfined. When run trhough init scripts there is a transition and the
context is set appropriately, thus restrictions take effect.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York



More information about the Kerberos mailing list