I'm trying to track down a situation where the context of
/var/tmp/host_0 somehow gets set to initrc_tmp_t instead of
krb5_host_rcache_t. When this happens, I get the following denial:
audit(1204783558.948:68): avc: denied { getattr } for pid=11121
comm="sshd" path="/var/tmp/host_0" dev=dm-3 ino=753668
scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:initrc_tmp_t:s0 tclass=file
and ssh gssapi authentication stops working.
This machine is a kerberos slave server, and my best guess is that kpropd
(which runs as initrc_t) is rewriting (i.e. deleting and recreating)
that file at some point. Unfortunately I can't cause it to happen so
I'm not sure that's what's going on.
This is probably a corner case among corner cases, but has anyone seen
anything like this?
- J<
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
