Bug 1127721

Summary: AVC denial in rpc.gssd
Product: Red Hat Enterprise Linux 5 Reporter: Xiyang Dong <xdong>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED WONTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 5.11CC: dpal, dwalsh, jhrozek, ksiddiqu, mmalik, xdong
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-04-18 21:54:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Xiyang Dong 2014-08-07 12:09:35 UTC
Description of problem:
AVC denial in rpc.gssd 

Version-Release number of selected component (if applicable):
this happens in rhel7.0 but not in rhel6.6
selinux-policy-2.4.6-350.el5
sssd-1.5.1-71.el5
nfs-utils-1.0.9-71.el5

How reproducible:
Always

Steps to Reproduce:
test case I ran:

    rlPhaseStartTest "ipa-client-cert-client-008:ipa client NFS4 Kerberized mount"
        rlRun "kinitAs $ADMINID $ADMINPW" 0 "Kinit as admin user"
        client_version=`cat /etc/redhat-release |cut -d " " -f7`
        #If IPA Client is in pre-rhel6,then add allow_weak_crypto = true to all servers/clients,then restart sssd service
        if [ $(echo $client_version|grep "5\.[0-15]"|wc -l) -gt 0 ] || [ $(echo $client_version|grep "6\.[0-15]"|wc -l) -gt 0 ];then
            rlRun "sed -i 's/\[libdefaults\]/[libdefaults]\n allow_weak_crypto = true/' /etc/krb5.conf" 0 "add allow_weak_crypto = true to /etc/krb5.conf"
            rlRun "service sssd restart" 0 "restart sssd status"
        fi
        #If IPA Client is pre-rhel7, download IPA Client NFS service keytab
        if [ $(echo $client_version|grep "5\.[0-15]"|wc -l) -gt 0 ] || [ $(echo $client_version|grep "6\.[0-15]"|wc -l) -gt 0 ];then
            rlRun "ipa-getkeytab -k /etc/krb5.keytab -s $MASTER -p nfs/$CLIENT" 0 "download IPA client NFS service keytab"
        fi
        rlRun "echo 'SECURE_NFS=\"yes\"' >> /etc/sysconfig/nfs" 0 "configure NFS service to use kerberos server as authentication server"
        rlRun "service rpcgssd restart;service rpcidmapd restart" 0 "restart NFS client services"
        #If IPA Client is pre-rhel7,restart portmap, if IPA client is rhel7 or later, restart rpcbind
        if [ $(echo $client_version|grep "5\.[0-15]"|wc -l) -gt 0 ] || [ $(echo $client_version|grep "6\.[0-15]"|wc -l) -gt 0 ];then
            rlRun "service portmap restart" 0 "restart portmap"
        else
            rlRun "service rpcbind restart" 0 "restart rpcbind"
        fi
        rlRun "mkdir /nfsdir" 0 "creat mount point dir"
        rlRun "mount -o sec=krb5p -t nfs4 $MASTER:/export /nfsdir" 0 "mount export dir"
        rlRun "mount -s|grep nfsdir" 0 "verify that export dir is mounted on client successfully"
        kdestroy
    rlPhaseEnd


Actual results:

Info: Searching AVC errors produced since 1407357255 (Wed Aug  6 16:34:15 2014)
Searching logs...
Running '/usr/bin/env LC_ALL=en_US.UTF-8 /sbin/ausearch -m AVC -m USER_AVC -m SELINUX_ERR -ts 08/06/2014 16:34:15 < /dev/null >/mnt/testarea/tmp.rhts-db-submit-result.8ClEsa 2>&1'
----
time->Wed Aug  6 16:35:06 2014
type=SYSCALL msg=audit(1407357306.502:51): arch=c000003e syscall=21 success=no exit=-13 a0=3ae3250 a1=2 a2=2abb78635ba0 a3=0 items=0 ppid=20584 pid=20585 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sssd_be" exe="/usr/libexec/sssd/sssd_be" subj=root:system_r:sssd_t:s0 key=(null)
type=AVC msg=audit(1407357306.502:51): avc:  denied  { write } for  pid=20585 comm="sssd_be" name="krb5.conf" dev=dm-0 ino=2950802 scontext=root:system_r:sssd_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file
----
time->Wed Aug  6 16:35:07 2014
type=SYSCALL msg=audit(1407357307.704:52): arch=c000003e syscall=21 success=no exit=-13 a0=2adb38cdd630 a1=2 a2=d a3=0 items=0 ppid=20718 pid=20719 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.gssd" exe="/usr/sbin/rpc.gssd" subj=root:system_r:gssd_t:s0 key=(null)
type=AVC msg=audit(1407357307.704:52): avc:  denied  { write } for  pid=20719 comm="rpc.gssd" name="krb5.conf" dev=dm-0 ino=2950802 scontext=root:system_r:gssd_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file
----
time->Wed Aug  6 16:35:08 2014
type=SYSCALL msg=audit(1407357308.762:53): arch=c000003e syscall=21 success=no exit=-13 a0=2adb38ce2350 a1=2 a2=2adb1ae6dba0 a3=65726373662f7274 items=0 ppid=1 pid=20719 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.gssd" exe="/usr/sbin/rpc.gssd" subj=root:system_r:gssd_t:s0 key=(null)
type=AVC msg=audit(1407357308.762:53): avc:  denied  { write } for  pid=20719 comm="rpc.gssd" name="krb5.conf" dev=dm-0 ino=2950802 scontext=root:system_r:gssd_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file
----
time->Wed Aug  6 16:35:08 2014
type=SYSCALL msg=audit(1407357308.763:54): arch=c000003e syscall=21 success=no exit=-13 a0=2adb38ce2350 a1=2 a2=2adb1ae6dba0 a3=65726373662f7274 items=0 ppid=1 pid=20719 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.gssd" exe="/usr/sbin/rpc.gssd" subj=root:system_r:gssd_t:s0 key=(null)
type=AVC msg=audit(1407357308.763:54): avc:  denied  { write } for  pid=20719 comm="rpc.gssd" name="krb5.conf" dev=dm-0 ino=2950802 scontext=root:system_r:gssd_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file
----
time->Wed Aug  6 16:35:08 2014
type=SYSCALL msg=audit(1407357308.764:55): arch=c000003e syscall=21 success=no exit=-13 a0=2adb38ce2350 a1=2 a2=2adb1ae6dba0 a3=65726373662f7274 items=0 ppid=1 pid=20719 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.gssd" exe="/usr/sbin/rpc.gssd" subj=root:system_r:gssd_t:s0 key=(null)
type=AVC msg=audit(1407357308.764:55): avc:  denied  { write } for  pid=20719 comm="rpc.gssd" name="krb5.conf" dev=dm-0 ino=2950802 scontext=root:system_r:gssd_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file
----
time->Wed Aug  6 16:35:08 2014
type=SYSCALL msg=audit(1407357308.765:56): arch=c000003e syscall=21 success=no exit=-13 a0=2adb38ce0e80 a1=2 a2=2adb1ae6dba0 a3=65726373662f7274 items=0 ppid=1 pid=20719 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.gssd" exe="/usr/sbin/rpc.gssd" subj=root:system_r:gssd_t:s0 key=(null)
type=AVC msg=audit(1407357308.765:56): avc:  denied  { write } for  pid=20719 comm="rpc.gssd" name="krb5.conf" dev=dm-0 ino=2950802 scontext=root:system_r:gssd_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file
----
time->Wed Aug  6 16:35:08 2014
type=SYSCALL msg=audit(1407357308.765:57): arch=c000003e syscall=21 success=no exit=-13 a0=2adb38ce4100 a1=2 a2=2adb1ae6dba0 a3=65726373662f7274 items=0 ppid=1 pid=20719 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.gssd" exe="/usr/sbin/rpc.gssd" subj=root:system_r:gssd_t:s0 key=(null)
type=AVC msg=audit(1407357308.765:57): avc:  denied  { write } for  pid=20719 comm="rpc.gssd" name="krb5.conf" dev=dm-0 ino=2950802 scontext=root:system_r:gssd_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file
----
time->Wed Aug  6 16:35:08 2014
type=SYSCALL msg=audit(1407357308.766:58): arch=c000003e syscall=21 success=no exit=-13 a0=2adb38ce4140 a1=2 a2=2adb1ae6dba0 a3=65726373662f7274 items=0 ppid=1 pid=20719 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.gssd" exe="/usr/sbin/rpc.gssd" subj=root:system_r:gssd_t:s0 key=(null)
type=AVC msg=audit(1407357308.766:58): avc:  denied  { write } for  pid=20719 comm="rpc.gssd" name="krb5.conf" dev=dm-0 ino=2950802 scontext=root:system_r:gssd_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file
----
time->Wed Aug  6 16:35:08 2014
type=SYSCALL msg=audit(1407357308.766:59): arch=c000003e syscall=21 success=no exit=-13 a0=2adb38ce44c0 a1=2 a2=2adb1ae6dba0 a3=65726373662f7274 items=0 ppid=1 pid=20719 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.gssd" exe="/usr/sbin/rpc.gssd" subj=root:system_r:gssd_t:s0 key=(null)
type=AVC msg=audit(1407357308.766:59): avc:  denied  { write } for  pid=20719 comm="rpc.gssd" name="krb5.conf" dev=dm-0 ino=2950802 scontext=root:system_r:gssd_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file
----
time->Wed Aug  6 16:35:08 2014
type=SYSCALL msg=audit(1407357308.766:60): arch=c000003e syscall=21 success=no exit=-13 a0=2adb38ce44c0 a1=2 a2=2adb1ae6dba0 a3=65726373662f7274 items=0 ppid=1 pid=20719 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.gssd" exe="/usr/sbin/rpc.gssd" subj=root:system_r:gssd_t:s0 key=(null)
type=AVC msg=audit(1407357308.766:60): avc:  denied  { write } for  pid=20719 comm="rpc.gssd" name="krb5.conf" dev=dm-0 ino=2950802 scontext=root:system_r:gssd_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file
----
time->Wed Aug  6 16:35:08 2014
type=SYSCALL msg=audit(1407357308.767:61): arch=c000003e syscall=21 success=no exit=-13 a0=2adb38ce44c0 a1=2 a2=2adb1ae6dba0 a3=65726373662f7274 items=0 ppid=1 pid=20719 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.gssd" exe="/usr/sbin/rpc.gssd" subj=root:system_r:gssd_t:s0 key=(null)
type=AVC msg=audit(1407357308.767:61): avc:  denied  { write } for  pid=20719 comm="rpc.gssd" name="krb5.conf" dev=dm-0 ino=2950802 scontext=root:system_r:gssd_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file
----
time->Wed Aug  6 16:35:08 2014
type=SYSCALL msg=audit(1407357308.767:62): arch=c000003e syscall=21 success=no exit=-13 a0=2adb38ce0ef0 a1=2 a2=2adb1ae6dba0 a3=65726373662f7274 items=0 ppid=1 pid=20719 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.gssd" exe="/usr/sbin/rpc.gssd" subj=root:system_r:gssd_t:s0 key=(null)
type=AVC msg=audit(1407357308.767:62): avc:  denied  { write } for  pid=20719 comm="rpc.gssd" name="krb5.conf" dev=dm-0 ino=2950802 scontext=root:system_r:gssd_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file
----
time->Wed Aug  6 16:35:08 2014
type=SYSCALL msg=audit(1407357308.774:63): arch=c000003e syscall=21 success=no exit=-13 a0=2adb38ce0ef0 a1=2 a2=2adb1ae6dba0 a3=65726373662f7274 items=0 ppid=1 pid=20719 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.gssd" exe="/usr/sbin/rpc.gssd" subj=root:system_r:gssd_t:s0 key=(null)
type=AVC msg=audit(1407357308.774:63): avc:  denied  { write } for  pid=20719 comm="rpc.gssd" name="krb5.conf" dev=dm-0 ino=2950802 scontext=root:system_r:gssd_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file
----
time->Wed Aug  6 16:35:08 2014
type=SYSCALL msg=audit(1407357308.775:64): arch=c000003e syscall=21 success=no exit=-13 a0=2adb38ce0ef0 a1=2 a2=2adb1ae6dba0 a3=65726373662f7274 items=0 ppid=1 pid=20719 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.gssd" exe="/usr/sbin/rpc.gssd" subj=root:system_r:gssd_t:s0 key=(null)
type=AVC msg=audit(1407357308.775:64): avc:  denied  { write } for  pid=20719 comm="rpc.gssd" name="krb5.conf" dev=dm-0 ino=2950802 scontext=root:system_r:gssd_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file
Fail: AVC messages found.
Checking for errors...
Using stronger AVC checks.
	Define empty RHTS_OPTION_STRONGER_AVC parameter if this causes any problems.
Running 'cat /mnt/testarea/tmp.rhts-db-submit-result.8ClEsa | /sbin/ausearch -m AVC -m SELINUX_ERR'
Fail: AVC messages found.
Running 'cat %s | /sbin/ausearch -m USER_AVC >/mnt/testarea/tmp.rhts-db-submit-result.DanBxG 2>&1'
Info: No AVC messages found.
/bin/grep 'avc: ' /mnt/testarea/dmesg.log | /bin/grep --invert-match TESTOUT.log
No AVC messages found in dmesg
Running '/usr/sbin/sestatus'
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 21
Policy from config file:        targeted
Running 'rpm -q selinux-policy || true'
selinux-policy-2.4.6-350.el5


Expected results:
no AVC denial showing up

Additional info:
[root@dell-pesc1425-01 ~]# cat /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = EXAMPLE.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 EXAMPLE.COM = {
  kdc = kerberos.example.com:88
  admin_server = kerberos.example.com:749
  default_domain = example.com
 }

[domain_realm]
 .example.com = EXAMPLE.COM
 example.com = EXAMPLE.COM

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

Comment 2 Milos Malik 2014-08-07 17:07:13 UTC
The /etc/krb5.conf file is mislabeled. Please run following command:

# restorecon -Rv /etc

Comment 3 Xiyang Dong 2014-08-07 17:12:04 UTC
[root@dell-pesc1425-01 ~]# restorecon -Rv /etc
restorecon reset /etc/sysconfig/mkinitrd/multipath context system_u:object_r:file_t:s0->system_u:object_r:etc_t:s0
restorecon reset /etc/sysconfig/firstboot context system_u:object_r:etc_t:s0->system_u:object_r:etc_runtime_t:s0
restorecon reset /etc/inittab context system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0
restorecon reset /etc/resolv.conf.ipabackup context root:object_r:etc_t:s0->system_u:object_r:net_conf_t:s0
restorecon reset /etc/resolv.conf.10.16.101.41 context root:object_r:etc_t:s0->system_u:object_r:net_conf_t:s0
restorecon reset /etc/modprobe.d/anaconda.conf context system_u:object_r:file_t:s0->system_u:object_r:etc_t:s0

Comment 4 Milos Malik 2014-08-07 17:13:36 UTC
Does rpc.gssd need to write to /etc/krb5.conf ?

Why is the bug reported against RHEL-7, when you mention RHEL-5 packages in the description?

this happens in rhel7.0 but not in rhel6.6

Comment 7 Chris Williams 2017-04-18 21:54:33 UTC
Red Hat Enterprise Linux 5 shipped it's last minor release, 5.11, on September 14th, 2014. On March 31st, 2017 RHEL 5 exited Production Phase 3 and entered Extended Life Phase. For RHEL releases in the Extended Life Phase, Red Hat  will provide limited ongoing technical support. No bug fixes, security fixes, hardware enablement or root-cause analysis will be available during this phase, and support will be provided on existing installations only.  If the customer purchases the Extended Life-cycle Support (ELS), certain critical-impact security fixes and selected urgent priority bug fixes for the last minor release will be provided.  For more details please consult the Red Hat Enterprise Linux Life Cycle Page:
https://access.redhat.com/support/policy/updates/errata

This BZ does not appear to meet ELS criteria so is being closed WONTFIX. If this BZ is critical for your environment and you have an Extended Life-cycle Support Add-on entitlement, please open a case in the Red Hat Customer Portal, https://access.redhat.com ,provide a thorough business justification and ask that the BZ be re-opened for consideration of an errata. Please note, only certain critical-impact security fixes and selected urgent priority bug fixes for the last minor release can be considered.