Bug 506718 - saslauthd tries to write to krb5.conf (which is denied by selinux)
saslauthd tries to write to krb5.conf (which is denied by selinux)
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: cyrus-sasl (Show other bugs)
All Linux
low Severity medium
: rc
: ---
Assigned To: Jan F. Chadima
: SELinux
Depends On:
  Show dependency treegraph
Reported: 2009-06-18 09:14 EDT by Karel Volný
Modified: 2009-09-22 08:55 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-09-22 08:55:01 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Karel Volný 2009-06-18 09:14:22 EDT
Description of problem:
When trying to test kerberos configuration for cyrus-imap, I have found that
saslauthd tries to open /etc/krb5.conf for writing, which is undesirable.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
Please see the bug #506717.
Actual results:
Jun 18 09:04:08 i386-5s-m1 setroubleshoot: SELinux is preventing saslauthd (saslauthd_t) "write" to ./krb5.conf (etc_t). For complete SELinux messages. run sealert -l 7ab49091-add8-438c-bd2f-d8d54bdc7f56

Expected results:
(no errors)

Additional info:
Comment 1 Daniel Walsh 2009-09-22 08:55:01 EDT
The problem is your krb5.conf file is mislabled.  restorecon /etc/krb5.conf  will fix it.

The kerberos libraries run access checks on all of their config files which causes this bogus access.  So in policy we dontaudit all attempts to write to /etc/krb5.conf, although we expect it to be labeled krb5_conf_t.

Note You need to log in before you can comment on or make changes to this bug.