Bug 1398857
Summary: | gssproxy/rpc.gssd/dbus SELinux denials | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Anthony Messina <amessina> |
Component: | selinux-policy-targeted | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Ben Levenson <benl> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 25 | CC: | dwalsh |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-01-14 18:36:12 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Anthony Messina
2016-11-26 17:05:52 UTC
I would check if this would run without the net_admin. You probably do not need to give this access. dontaudit gssproxy_t self:capability net_admin; (In reply to Daniel Walsh from comment #1) > I would check if this would run without the net_admin. You probably do not > need to give this access. > > dontaudit gssproxy_t self:capability net_admin; Thanks Dan. Upstream gssproxy also states they don't need cap_net_admin. In enforcing mode, I don't get the gssproxy AVC and things work: AVC avc: denied { net_admin } for pid=819 comm="gssproxy" capability=12 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 tclass=capability However, I still do get the rpc.gssd AVCs related to /run/dbus/system_bus_socket AVC avc: denied { write } for pid=1964 comm="rpc.gssd" name="system_bus_socket" dev="tmpfs" ino=18837 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=0 Yes this looks like gssd is sending a dbus message to someone. Should be allowed. With recent updates that removed the need to run rpc.gssd in the foreground, I no longer see these issues. |