Bug 1022674

Summary: avc prevents newer rpc.gssd from working
Product: [Fedora] Fedora Reporter: Simo Sorce <ssorce>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 20CC: dominick.grift, dwalsh, jlayton, lvrabec, mgrepl, rh-bugzilla, steved
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.12.1-116.fc20 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-01-16 07:09:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Simo Sorce 2013-10-23 18:50:33 UTC 
The latest upstream rpc.gssd change the way it operates when looking for credential caches.

It now forks and changes uid/gid to match that of the user it is acting on behalf of.

This fails to work in enforcing mode with the following inital AVC:
type=AVC msg=audit(1382553437.940:526): avc:  denied  { setgid } for  pid=3988 comm="rpc.gssd" capability=6  scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:system_r:gssd_t:s0 tclass=capability

I do not see a matching avc for setuid() but I suspect it would crop up as well if the code would proceed as the code now tries to setresgid() first and if successful it does a setresuid().
For some reason I see no AVC at all when I set the mode to permissive.

I tested this on Fedora 19, where it would be nice to have selinux changes too, however afaik the nfs-utils change is expected to land only in Fedora 20 (which is why I am filing against F20) so if you want to change this only in F20 I guess that's fine.
Comment 1 Enrico Scholz 2014-01-06 23:00:01 UTC 
I see this sequence after 'setenforce 0'

----
avc:  denied  { setgid } for  pid=11221 comm="rpc.gssd" capability=6  scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:system_r:gssd_t:s0 tclass=capability
avc:  denied  { read } for  pid=11221 comm="rpc.gssd" scontext=system_u:system_r:gssd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=key
avc:  denied  { write } for  pid=11221 comm="rpc.gssd" scontext=system_u:system_r:gssd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=key
avc:  denied  { setattr } for  pid=11221 comm="rpc.gssd" scontext=system_u:system_r:gssd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=key
----
Comment 2 Daniel Walsh 2014-01-07 15:06:01 UTC 
3c6e7b512b577a8755aa44132e501b3a62c4c5d2 adds this access to git.
Comment 3 Enrico Scholz 2014-01-10 12:18:31 UTC 
I have to add other key-class related rules to make nfs work:

#============= gssd_t ==============
allow gssd_t unconfined_t:key { read write setattr };
allow gssd_t xdm_t:key { read write setattr };

#============= local_login_t ==============
allow local_login_t gssd_t:key { read write view };
allow local_login_t xdm_t:key { read write setattr };

#============= xdm_t ==============
allow xdm_t gssd_t:key { read write view };
allow sshd_t gssd_t:key read;

(I am not sure whether they are really required, but related AVCs appear when logging in through 'kdm', on the console or with 'ssh')
Comment 4 Daniel Walsh 2014-01-10 18:24:44 UTC 
Miroslav I think for now in F20 we should just give everyone full access to all key rings and rely on DAC for separation, until we get a sane way to handle this.

allow domain domain:key manage_key_perms;

I have no idea why these rules above make sense.  Key rings should by default get labeled with user types, not random service types.
Comment 5 Miroslav Grepl 2014-01-13 09:00:10 UTC 
Ok. Added.


#!!!! This avc is allowed in the current policy
allow gssd_t unconfined_t:key { read write setattr };
Comment 6 Miroslav Grepl 2014-01-13 09:01:34 UTC 
commit 95980bb9fe3c2b945670f0b1a3163d9a07280c11
Author: Miroslav Grepl <mgrepl>
Date:   Mon Jan 13 10:01:04 2014 +0100

    Allow also setgid cap for rpc.gssd


commit 2693e85a11b1d98ef1723401038fbcfc0b05f311
Author: Miroslav Grepl <mgrepl>
Date:   Mon Jan 13 08:41:31 2014 +0100

    Add give everyone full access to all key rings
Comment 7 Fedora Update System 2014-01-13 22:54:49 UTC 
selinux-policy-3.12.1-116.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-116.fc20
Comment 8 Fedora Update System 2014-01-15 05:56:30 UTC 
Package selinux-policy-3.12.1-116.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-116.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-0806/selinux-policy-3.12.1-116.fc20
then log in and leave karma (feedback).
Comment 9 Fedora Update System 2014-01-16 07:09:01 UTC 
selinux-policy-3.12.1-116.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.