506718 – saslauthd tries to write to krb5.conf (which is denied by selinux)

Bug 506718 - saslauthd tries to write to krb5.conf (which is denied by selinux)

Summary: saslauthd tries to write to krb5.conf (which is denied by selinux)

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	cyrus-sasl
Sub Component:
Version:	5.3
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Jan F. Chadima
QA Contact:	BaseOS QE
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2009-06-18 13:14 UTC by Karel Volný
Modified:	2009-09-22 12:55 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2009-09-22 12:55:01 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Karel Volný 2009-06-18 13:14:22 UTC

Description of problem:
When trying to test kerberos configuration for cyrus-imap, I have found that
saslauthd tries to open /etc/krb5.conf for writing, which is undesirable.

Version-Release number of selected component (if applicable):
cyrus-sasl-2.1.22-4

How reproducible:
always

Steps to Reproduce:
Please see the bug #506717.
  
Actual results:
Jun 18 09:04:08 i386-5s-m1 setroubleshoot: SELinux is preventing saslauthd (saslauthd_t) "write" to ./krb5.conf (etc_t). For complete SELinux messages. run sealert -l 7ab49091-add8-438c-bd2f-d8d54bdc7f56

Expected results:
(no errors)

Additional info:

Comment 1 Daniel Walsh 2009-09-22 12:55:01 UTC

The problem is your krb5.conf file is mislabled.  restorecon /etc/krb5.conf  will fix it.

The kerberos libraries run access checks on all of their config files which causes this bogus access.  So in policy we dontaudit all attempts to write to /etc/krb5.conf, although we expect it to be labeled krb5_conf_t.

Note You need to log in before you can comment on or make changes to this bug.