Bug 165226 - SELinux blocks gserver mode of cvs
Summary: SELinux blocks gserver mode of cvs
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 4
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-08-05 16:43 UTC by Danny Padwa
Modified: 2007-11-30 22:11 UTC (History)
0 users

Fixed In Version: 1.25.3.12
Clone Of:
Environment:
Last Closed: 2005-08-26 06:34:57 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Danny Padwa 2005-08-05 16:43:45 UTC
Description of problem:
cvs running in gserver mode needs to be able to read its credentials out 
of /etc/krb5.conf.   It can't.

Version-Release number of selected component (if applicable):
1.25.3-9

How reproducible:
Very

Steps to Reproduce:
1. Set up cvs gserver (or any other process that will run as 
system_u:system_r:cvs_t)
2. Try to connect to it.  This causes it to try to read /etc/krb5.keytab 
(system_u:object_r:krb5_keytab_t)
3. Watch it fail
  
Actual results:
Failure with an audit message

Expected results:
Success

Additional info:
Probably needs access to other kerberos-y things (like ability to make a 
network connection to the kdc) as well

Comment 1 Danny Padwa 2005-08-05 17:13:39 UTC
Winds up needing { read lock } to krb5_keytab_t:file, but then still doesn't 
work.

Failing when it tries to find .k5login file in the home directory (probably 
some generic kerberos server thing needed)

Failing when trying to do anything interesting in the CVS root - is there a 
special context set that should be applied to the CVSROOT and/or ,v files?

Comment 2 Daniel Walsh 2005-08-05 18:10:54 UTC
cvs_data_t


Comment 3 Daniel Walsh 2005-08-25 16:57:22 UTC
selinux-policy-targeted-1.25.3.12 fixed problem

Comment 4 Walter Justen 2005-08-26 06:34:57 UTC
Thanks for the bug report. This particular bug was fixed and a update package
was published for download. Please feel free to report any further bugs you find.


Note You need to log in before you can comment on or make changes to this bug.