Comment 5 for bug 228229

I disagree with Timo's assessment; the attempt to write to /etc/krb5.conf is from an access(2) check to _see_ if the file is writable. If the file _is_ writable, then the sshd server knows Kerberos is mis-configured and will _fail_. Of course, most of the time, the standard Unix DAC checks will forbid the write access, and sshd continues normally.

Perhaps abstractions/kerberosclient should be amended to have a deny rule for /etc/krb5.conf w, to silence this needless noise.

Sadly, the kernel LSM design doesn't allow LSM modules to know the difference between open("file", O_RDWR) and access('file", R_OK|W_OK); both result in the same call to an LSM module. (Which makes a certain amount of sense, but does mean polluting profiles with explicit 'deny' rules on access() checks done for safety's sake.)