| Summary: | KRB5_TRACE=/dev/stderr kinit admin now produces AVC denial about create name="2" | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Jan Pazdziora <jpazdziora> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 24 | CC: | abokovoy, dominick.grift, dwalsh, jpazdziora, j, lvrabec, mgrepl, nalin, npmccallum, plautrba, rharwood |
| Target Milestone: | --- | Keywords: | Regression |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.13.1-191.24.fc24 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-02-27 11:12:32 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Neither have I, nor do I know what could cause it. Perhaps selinux people can tell us more? This is the same issue that we have been seeing with chrome, basic change to the kernel which is not checking on /proc for create access when an app does a create/write in an open call. Even though you are not allowed to create files in /proc. The next selinux-policy package has added a dontaudit rule for this. This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component. Was this fix released? $ sesearch -D -s unconfined_t -t unconfined_t -c file -p create
Found 1 semantic av rules:
dontaudit unconfined_t unconfined_t : file { create setattr relabelto } ;
$ rpm -q selinux-policy
selinux-policy-3.13.1-191.24.fc24.noarch
Yes, it is.
|
Description of problem: When KRB5_TRACE=/dev/stderr kinit admin is run, AVC denial is logget. Version-Release number of selected component (if applicable): krb5-workstation-1.14.3-8.fc24.x86_64 selinux-policy-3.13.1-191.14.fc24.noarch How reproducible: Deterministic. Steps to Reproduce: 1. dnf install krb5-workstation 2. KRB5_TRACE=/dev/stderr kinit admin This will fail with kinit: Configuration file does not specify default realm when parsing name admin but that does not matter. 3. grep AVC /var/log/audit/audit.log Actual results: type=AVC msg=audit(1473925602.153:178): avc: denied { create } for pid=21550 comm="kinit" name="2" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:unconfined_t:s0 tclass=file permissive=0 Expected results: No AVC denial. Additional info: I've never seen encountered this issue before today.