Bug 1573945

Summary: SELinux prevents jabber router from reading /etc/krb5.keytab file
Product: [Fedora] Fedora Reporter: Milos Malik <mmalik>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 28CC: dwalsh, lvrabec, mgrepl, plautrba, pmoore
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.14.1-29.fc28 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1438734 Environment:
Last Closed: 2018-05-26 20:45:04 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Milos Malik 2018-05-02 14:49:29 UTC 
+++ This bug was initially created as a clone of Bug #1438734 +++

Description of problem:
* SELinux denials appear only if /etc/krb5.keytab exists

Version-Release number of selected component (if applicable):
jabberd-2.6.1-8.fc28.x86_64
selinux-policy-3.14.1-24.fc28.noarch
selinux-policy-devel-3.14.1-24.fc28.noarch
selinux-policy-targeted-3.14.1-24.fc28.noarch

How reproducible:
* always

Steps to Reproduce:
1. get a Fedora 28 machine (targeted policy is active)
# touch /etc/krb5.keytab
# service jabberd start
4. search for SELinux denials

Actual results (enforcing mode):
----
time->Wed May  2 10:48:01 2018
type=AVC msg=audit(1525272481.518:502): avc:  denied  { read } for  pid=5413 comm="router" name="krb5.keytab" dev="vda1" ino=132106 scontext=system_u:system_r:jabberd_router_t:s0 tcontext=unconfined_u:object_r:krb5_keytab_t:s0 tclass=file permissive=0
----

Expected results:
* no SELinux denials
Comment 1 Milos Malik 2018-05-02 14:55:46 UTC 
Caught in permissive mode:
----
time->Wed May  2 10:54:00 2018
type=AVC msg=audit(1525272840.479:516): avc:  denied  { read } for  pid=5458 comm="router" name="krb5.keytab" dev="vda1" ino=132106 scontext=system_u:system_r:jabberd_router_t:s0 tcontext=unconfined_u:object_r:krb5_keytab_t:s0 tclass=file permissive=1
----
time->Wed May  2 10:54:00 2018
type=AVC msg=audit(1525272840.479:517): avc:  denied  { open } for  pid=5458 comm="router" path="/etc/krb5.keytab" dev="vda1" ino=132106 scontext=system_u:system_r:jabberd_router_t:s0 tcontext=unconfined_u:object_r:krb5_keytab_t:s0 tclass=file permissive=1
----
time->Wed May  2 10:54:00 2018
type=AVC msg=audit(1525272840.480:518): avc:  denied  { lock } for  pid=5458 comm="router" path="/etc/krb5.keytab" dev="vda1" ino=132106 scontext=system_u:system_r:jabberd_router_t:s0 tcontext=unconfined_u:object_r:krb5_keytab_t:s0 tclass=file permissive=1
----
Comment 2 Fedora Update System 2018-05-24 14:37:11 UTC 
selinux-policy-3.14.1-29.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-a74875b364
Comment 3 Fedora Update System 2018-05-25 18:43:17 UTC 
selinux-policy-3.14.1-29.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-a74875b364
Comment 4 Fedora Update System 2018-05-26 20:45:04 UTC 
selinux-policy-3.14.1-29.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.