-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jason L Tibbitts III wrote:
> I'm trying to track down a situation where the context of
> /var/tmp/host_0 somehow gets set to initrc_tmp_t instead of
> krb5_host_rcache_t. When this happens, I get the following denial:
> audit(1204783558.948:68): avc: denied { getattr } for pid=11121
> comm="sshd" path="/var/tmp/host_0" dev=dm-3 ino=753668
> scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023
> tcontext=unconfined_u:object_r:initrc_tmp_t:s0 tclass=file
> and ssh gssapi authentication stops working.
>
> This machine is a kerberos slave server, and my best guess is that kpropd
> (which runs as initrc_t) is rewriting (i.e. deleting and recreating)
> that file at some point. Unfortunately I can't cause it to happen so
> I'm not sure that's what's going on.
>
> This is probably a corner case among corner cases, but has anyone seen
> anything like this?
>
> - J<
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
This should work but is broken.
Related to Bugzilla 428355
And kpropd does need a policy written for it.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkfQZm8ACgkQrlYvE4MpobPB6ACg59OPfxNm6+B9s4PBhE+4viOp
hygAn00F5iiUJ7Cqkz6TO+wIcdxf0mpZ
=V+84
-----END PGP SIGNATURE-----
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
