Bug 232372 - cyrus-imapd needs access to krb5_conf_t for GSSAPI auth to work
cyrus-imapd needs access to krb5_conf_t for GSSAPI auth to work
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
Depends On:
  Show dependency treegraph
Reported: 2007-03-14 21:18 EDT by Kostas Georgiou
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-03-16 08:47:48 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Kostas Georgiou 2007-03-14 21:18:06 EDT
cyrus-imapd fails when selinux is in enforcing mode because it fails to read

type=AVC msg=audit(1173921130.084:9582): avc:  denied  { getattr } for 
pid=12595 comm="imapd" name="krb5.conf" dev=dm-0 ino=101248
scontext=root:system_r:cyrus_t:s0 tcontext=system_u:object_r:krb5_conf_t:s0
type=SYSCALL msg=audit(1173921130.084:9582): arch=c000003e syscall=4 success=no
exit=-13 a0=5555559db7b0 a1=7fff301a2630 a2=7fff301a2630 a3=555555907a80 items=0
ppid=12534 pid=12595 auid=0 uid=76 gid=12 euid=76 suid=76 fsuid=76 egid=12
sgid=12 fsgid=12 tty=(none) comm="imapd" exe="/usr/lib/cyrus-imapd/imapd"
subj=root:system_r:cyrus_t:s0 key=(null)
type=AVC_PATH msg=audit(1173921130.084:9582):  path="/etc/krb5.conf"

A module like the following fixes the problem.

module mycyrusimapd 1.0.0;
require {
        class dir search;
        class file { read getattr };
        type cyrus_t;
        type krb5_conf_t;
        role system_r;

allow cyrus_t krb5_conf_t:file read;
allow cyrus_t krb5_conf_t:file getattr;
Comment 1 Daniel Walsh 2007-03-15 23:57:14 EDT
Fixed in selinux-policy-2.4.6-46
Comment 2 Kostas Georgiou 2007-03-16 08:47:48 EDT

Note You need to log in before you can comment on or make changes to this bug.