This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 629221 - selinux prevents samba write to keytab
selinux prevents samba write to keytab
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.5
All Linux
low Severity medium
: rc
: ---
Assigned To: Daniel Walsh
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-09-01 06:53 EDT by Karel Volný
Modified: 2010-09-01 09:28 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-09-01 09:28:17 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Karel Volný 2010-09-01 06:53:20 EDT
Description of problem:
the 'net' command needs to write to /etc/krb5.keytab which is denied by selinux

Version-Release number of selected component (if applicable):
samba-common-3.0.33-3.28.el5
selinux-policy-2.4.6-279.el5

How reproducible:
always

Steps to Reproduce:
1. create some samba setup
2. rm /etc/krb5.keytab
3. net ads keytab add ...
  
Actual results:
host=ibm-js12-vios-01-lp3.rhts.eng.bos.redhat.com type=AVC msg=audit(1283337714.448:75): avc:  denied  { write } for  pid=24398 comm="net" name="etc" dev=dm-0 ino=1835009 scontext=root:system_r:samba_net_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir

host=ibm-js12-vios-01-lp3.rhts.eng.bos.redhat.com type=SYSCALL msg=audit(1283337714.448:75): arch=80000015 syscall=5 success=no exit=-13 a0=8463390 a1=c2 a2=180 a3=1b6 items=0 ppid=23873 pid=24398 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3 comm="net" exe="/usr/bin/net" subj=root:system_r:samba_net_t:s0-s0:c0.c1023 key=(null)


Expected results:
no selinux errors

Additional info:
Comment 1 Daniel Walsh 2010-09-01 09:28:17 EDT
restorecon /etc/krb5.keytab

Which will put the correct label on the file.

Then SELinux will dontaudit the access since it does not need it.

Note You need to log in before you can comment on or make changes to this bug.