Bug 1109319

Summary: Rsyslog server using GSSAPI module still has SELinux AVCs
Product: Red Hat Enterprise Linux 6 Reporter: Jon McKenzie <jcmcken>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED INSUFFICIENT_DATA QA Contact: Dalibor Pospíšil <dapospis>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.5CC: dwalsh, jcmcken, mmalik
Target Milestone: rcFlags: jcmcken: needinfo-
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-02-25 12:40:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jon McKenzie 2014-06-13 16:11:23 UTC 
Description of problem:

When an rsyslog server is configured to use GSSAPI authentication, the generated ticket (/tmp/host_0 by default) has no default label. When the host is rebooted, this ticket gets relabeled to 'user_tmp_t' (from 'krb5_host_rcache_t'). The rsyslog server attempts to remove the ticket to reacquire credentials, but does not have 'unlink' privileges for that domain. Removing the '/tmp/host_0' file and restarting rsyslog resolves the issue.


Version-Release number of selected component (if applicable):

rsyslog-5.8.10-8.el6.x86_64

How reproducible:

Very

Steps to Reproduce:
1. Set up GSSAPI-authed rsyslog server and 'service rsyslog start'
2. Reboot the machine. The old KRB ticket should still be in /tmp
3. rsyslog fails to perform GSSAPI auth. In the rsyslog log, this message repeats: "GSS-API Context initialization failed"
Comment 2 Tomas Heinrich 2014-06-16 09:48:09 UTC 
Moving to selinux-policy.
Comment 3 Milos Malik 2014-06-17 07:38:14 UTC 
Please provide the AVCs:

# ausearch -m avc -m user_avc -m selinux_err -i -ts today