Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 158147 - httpd attempts to write to /etc/krb5.conf
Summary: httpd attempts to write to /etc/krb5.conf
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: httpd
Version: 4.0
Hardware: i386
OS: Linux
Target Milestone: ---
: ---
Assignee: Joe Orton
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2005-05-19 03:10 UTC by Aleksandar Milivojevic
Modified: 2007-11-30 22:07 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2005-05-19 09:31:48 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Aleksandar Milivojevic 2005-05-19 03:10:16 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.7) Gecko/20050421 Red Hat/1.0.3-1.4.1.centos4 Firefox/1.0.3

Description of problem:
I've noticed on some of my RHEL4 clones that httpd attemtps to write to /etc/krb5.conf file on startup, but is prevented from doing so by SELinux (good thing I have SELinux enabled on those boxes):

May 18 21:09:13 zatocnica kernel: audit(1116468553.539:0): avc:  denied  { write } for  pid=31308 exe=/usr/sbin/httpd name=krb5.conf dev=dm-0 ino=115476 scontext=root:system_r:httpd_t tcontext=system_u:object_r:etc_t tclass=file

Question.  Why on earth does web server needs write access to one of the critical Kerberos configuration files?  Not to mention that I don't use Kerberos at all.  I can kind of see it need read access provided it wants to authenticate Kerberos user, but write!?

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Start httpd with SELinux set to enforcing, watch 4 violations logged to /var/log/messages

Additional info:

Comment 1 Joe Orton 2005-05-19 09:31:48 UTC
If you're using a clone distribution, please report bugs in the first place to
the clone vendor.  If you have support questions and a current support contract,
please contact Red Hat support for further help.   If you need a support
contract, please contact Red Hat sales.

Comment 2 Aleksandar Milivojevic 2005-05-19 13:33:59 UTC
First of all, I am not looking for support.  I reported this as a pure curtesy
to you, since you are the original preparer of SRPM.  What you are goin to do
with it, is your choice.  You can do something about it and be proactive, or you
can be passive and wait until paying customer(s) get bitten by it.  Your choice.
 I couldn't care less.  I can perfectly live with 4 lines in log files that are
generated on httpd startup.

Furthermore, you are the upstream vendor in the same way Apache Project is
upstream vendor for you.  Sure, I can go one step up and report the bug to your
vendor (directly to Apache Project).  Then they'll probably tell me to report
the bug to however prepared SRPM package.  Which is you.  Playing ping-pong can
be fun passtime, but it doesn't solve the original problem.

Comment 3 Aleksandar Milivojevic 2005-05-19 13:53:11 UTC
BTW, reading back what I just wrote in my comment #2 looks kinda flamy... 
Anyhow, no hard feelings intended.  The Red Hat is a good company with good
products, and at the place I work at we've been using it for a very long time
(the original, not clones).  Actually, RHEL4 is in our shopping list, and
relatively soon there will be RHEL4 machines (with paid support) running around
here.  (it was just that couple of servers we installed lately are not of the
type we would need/want external support).

Note You need to log in before you can comment on or make changes to this bug.