Bug 577519

Summary: SELinux is preventing /lib64/security/pam_krb5/pam_krb5_storetmp "execute" access on /lib64/security/pam_krb5/pam_krb5_storetmp
Product: [Fedora] Fedora Reporter: Anthony Messina <amessina>
Component: selinux-policy-targetedAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: low    
Version: 12   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.6.32-108.fc12 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-04-09 01:24:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Anthony Messina 2010-03-27 18:40:02 UTC 
Using selinux-policy-targeted-3.6.32-103.fc12.noarch, I get the following errors.  I use saslauthd -> PAM -> Kerberos for services like Cyrus-IMAPd and Postfix.

node=chicago.messinet.com type=AVC msg=audit(1269711121.296:78): avc:  denied  { execute } for  pid=3389 comm="saslauthd" name="pam_krb5_storetmp" dev=sdd3 ino=418648 scontext=system_u:system_r:saslauthd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file

node=chicago.messinet.com type=AVC msg=audit(1269711121.296:78): avc:  denied  { read open } for  pid=3389 comm="saslauthd" name="pam_krb5_storetmp" dev=sdd3 ino=418648 scontext=system_u:system_r:saslauthd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file

node=chicago.messinet.com type=AVC msg=audit(1269711121.296:78): avc:  denied  { execute_no_trans } for  pid=3389 comm="saslauthd" path="/lib64/security/pam_krb5/pam_krb5_storetmp" dev=sdd3 ino=418648 scontext=system_u:system_r:saslauthd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file

node=chicago.messinet.com type=SYSCALL msg=audit(1269711121.296:78): arch=c000003e syscall=59 success=yes exit=0 a0=7f5b78b86298 a1=7fff381cb8a0 a2=7fff381cfeb8 a3=8 items=0 ppid=3388 pid=3389 auid=4294967295 uid=503 gid=503 euid=503 suid=503 fsuid=503 egid=503 sgid=503 fsgid=503 tty=(none) ses=4294967295 comm="pam_krb5_storet" exe="/lib64/security/pam_krb5/pam_krb5_storetmp" subj=system_u:system_r:saslauthd_t:s0 key=(null)
Comment 1 Daniel Walsh 2010-03-29 13:29:18 UTC 
Miroslav, 

add

corecmd_exec_bin(saslauthd_t)
Comment 2 Miroslav Grepl 2010-03-30 06:55:42 UTC 
Fixed in selinux-policy-3.6.32-108.fc12
Comment 3 Fedora Update System 2010-03-30 19:48:08 UTC 
selinux-policy-3.6.32-108.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-108.fc12
Comment 4 Fedora Update System 2010-04-01 01:54:04 UTC 
selinux-policy-3.6.32-108.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-108.fc12
Comment 5 Fedora Update System 2010-04-09 01:23:43 UTC 
selinux-policy-3.6.32-108.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.