kerberos and selinux

Nalin Dahyabhai nalin at
Thu May 23 14:01:56 EDT 2013

On Wed, May 22, 2013 at 11:23:40PM -0700, Chris Hecker wrote:
> I run with SELinux enabled, and krb5kdc and kadmin both want read access 
> to /etc/pki/tls on startup.  I'm using ldaps as the protocol for talking 
> to slapd, is this why?  This is on Centos 5, which I know is a bit old.

If your realm database is in slapd, then that sounds about right.  The
only other place I'd guess it might have been accessed certificates was
if you were using PKINIT, but the now-obsolete module we included then
looked in /etc/pki/nssdb by default.

> My KDC and kadmin work fine without allowing this access, and there's 
> nothing in krb5kdc.log or kadmind.log, just the AVC's in audit.log.
> Should I enable these guys to read cert_t files, or should I ignore 
> them?  If the latter, is there a configuration setting for making them 
> stop trying the directory?

FWIW, unless there are private keys in there (which I think the
configuration would also label as cert_t, probably in error), I think
allowing the access is a better option.  If your setup's working despite
the errors, you could also choose to not have those denials logged.



More information about the Kerberos mailing list