On Tue, 2006-06-13 at 11:17 -0400, Jeffrey Hutzelman wrote: .. > I'd suggest looking at the kadmind log and/or attaching strace to the > running strace to see what file it's trying to access that is prohibited by > policy. Then adjust the policy to correct the problem.
(btw, adjusting the policy is best done via bugzilla.redhat.com) In addition to the above, you may want to check /var/log/messages for entries like "avc: denied: ...." - all SELinux policy violations should get logged either there or in /var/log/audit/audit.log. A small helper tool "audit2why" tries to explain these somewhat terse messages. You might also want to check the security context associated with all files involved, via "ls -Z ...." (SElinux stores this context usually in extended attributes, they get inherited from the parent directory for new files and will move with the file. Creating a config file in /tmp or in a home directory, then "mv"ing it into place could explain why a daemon later cannot read it...). You can use /usr/sbin/restorecon to give files the "correct" context as per the SELinux policy. Hope this helps Jan ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos