On Wed, May 22, 2013 at 11:23:40PM -0700, Chris Hecker wrote: > I run with SELinux enabled, and krb5kdc and kadmin both want read access > to /etc/pki/tls on startup. I'm using ldaps as the protocol for talking > to slapd, is this why? This is on Centos 5, which I know is a bit old.
If your realm database is in slapd, then that sounds about right. The only other place I'd guess it might have been accessed certificates was if you were using PKINIT, but the now-obsolete module we included then looked in /etc/pki/nssdb by default. > My KDC and kadmin work fine without allowing this access, and there's > nothing in krb5kdc.log or kadmind.log, just the AVC's in audit.log. > > Should I enable these guys to read cert_t files, or should I ignore > them? If the latter, is there a configuration setting for making them > stop trying the directory? FWIW, unless there are private keys in there (which I think the configuration would also label as cert_t, probably in error), I think allowing the access is a better option. If your setup's working despite the errors, you could also choose to not have those denials logged. HTH, Nalin ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
