Bug 232372 - cyrus-imapd needs access to krb5_conf_t for GSSAPI auth to work
Summary: cyrus-imapd needs access to krb5_conf_t for GSSAPI auth to work
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 6
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-03-15 01:18 UTC by Kostas Georgiou
Modified: 2007-11-30 22:11 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-03-16 12:47:48 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Kostas Georgiou 2007-03-15 01:18:06 UTC 
cyrus-imapd fails when selinux is in enforcing mode because it fails to read
/etc/krb5.conf

type=AVC msg=audit(1173921130.084:9582): avc:  denied  { getattr } for 
pid=12595 comm="imapd" name="krb5.conf" dev=dm-0 ino=101248
scontext=root:system_r:cyrus_t:s0 tcontext=system_u:object_r:krb5_conf_t:s0
tclass=file
type=SYSCALL msg=audit(1173921130.084:9582): arch=c000003e syscall=4 success=no
exit=-13 a0=5555559db7b0 a1=7fff301a2630 a2=7fff301a2630 a3=555555907a80 items=0
ppid=12534 pid=12595 auid=0 uid=76 gid=12 euid=76 suid=76 fsuid=76 egid=12
sgid=12 fsgid=12 tty=(none) comm="imapd" exe="/usr/lib/cyrus-imapd/imapd"
subj=root:system_r:cyrus_t:s0 key=(null)
type=AVC_PATH msg=audit(1173921130.084:9582):  path="/etc/krb5.conf"

A module like the following fixes the problem.

module mycyrusimapd 1.0.0;
require {
        class dir search;
        class file { read getattr };
        type cyrus_t;
        type krb5_conf_t;
        role system_r;
};

allow cyrus_t krb5_conf_t:file read;
allow cyrus_t krb5_conf_t:file getattr;
Comment 1 Daniel Walsh 2007-03-16 03:57:14 UTC 
Fixed in selinux-policy-2.4.6-46
Comment 2 Kostas Georgiou 2007-03-16 12:47:48 UTC 
Thanks.
Note You need to log in before you can comment on or make changes to this bug.