chkconfig modifies permissions of files under /etc/xinetd.d
Issue
Per Defense Information Systems Agency (DISA
) Red Hat 5 Security Technical Implementation Guide (STIG
) item GEN003740
, files in /etc/xinetd.d
must have permission 0640
or less permissive. The installed default permission for these files is 0644
.
However, with the files in /etc/xinetd.d
set to the correct permissions (0640
), if a service (such as tftp
) is enabled or disabled (via "chkconfig tftp on"
or "chkconfig tftp off"
, the /etc/xinetd.d/tftp
file's permissions are reset to 0644
. Further, the SELinux
attributes of the file are reset and don't match the rest of the files in the /etc/xinetd.d
folder.
For example:
# ls -lZ /etc/xinetd.d/
...
-rw-r--r-- root root system_u:object_r:etc_t:s0 tftp
...
# chmod 0640 /etc/xinetd.d/*
# ls -lZ /etc/xinetd.d
...
-rw-r----- root root system_u:object_r:etc_t:s0 tftp
...
# chkconfig tftp off
# ls -lZ /etc/xinetd.d
...
-rw-r--r-- root root user_u:object_r:etc_t:s0 tftp
...
Note that the file "tftp"
now has perms 0644
and the SELinux
attributes have been modified.
Environment
- Red Hat Enterprise Linux (RHEL) 6.4
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.