Bug 1398857

Summary: gssproxy/rpc.gssd/dbus SELinux denials
Product: [Fedora] Fedora Reporter: Anthony Messina <amessina>
Component: selinux-policy-targetedAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED CURRENTRELEASE QA Contact: Ben Levenson <benl>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 25CC: dwalsh
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-01-14 18:36:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Anthony Messina 2016-11-26 17:05:52 UTC 
With a fresh install of F25, gssproxy & rpc.gssd doesn't work properly due to SELinux denials.  In this case, rpc.gssd is being run from systemd with Type=simple and ExecStart=/usr/sbin/rpc.gssd -fv (in the foreground) due to #1264556.  This change at least allows rpc.gssd to run for NFS/KRB mount /home.


AVC avc:  denied  { net_admin } for  pid=819 comm="gssproxy" capability=12  scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 tclass=capability permissive=1
AVC avc:  denied  { write } for  pid=819 comm="gssproxy" name="system_bus_socket" dev="tmpfs" ino=17992 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1
AVC avc:  denied  { net_admin } for  pid=852 comm="gssproxy" capability=12  scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 tclass=capability permissive=1
AVC avc:  denied  { write } for  pid=852 comm="gssproxy" name="system_bus_socket" dev="tmpfs" ino=17758 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1
AVC avc:  denied  { net_admin } for  pid=817 comm="gssproxy" capability=12  scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 tclass=capability permissive=1
AVC avc:  denied  { write } for  pid=817 comm="gssproxy" name="system_bus_socket" dev="tmpfs" ino=13270 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1
AVC avc:  denied  { net_admin } for  pid=817 comm="gssproxy" capability=12  scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 tclass=capability permissive=1
AVC avc:  denied  { write } for  pid=817 comm="gssproxy" name="system_bus_socket" dev="tmpfs" ino=13270 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1
AVC avc:  denied  { write } for  pid=817 comm="gssproxy" name="system_bus_socket" dev="tmpfs" ino=13270 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1
AVC avc:  denied  { net_admin } for  pid=817 comm="gssproxy" capability=12  scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 tclass=capability permissive=1
AVC avc:  denied  { net_admin } for  pid=821 comm="gssproxy" capability=12  scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 tclass=capability permissive=1
AVC avc:  denied  { write } for  pid=821 comm="gssproxy" name="system_bus_socket" dev="tmpfs" ino=18082 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1



AVC avc:  denied  { write } for  pid=1109 comm="rpc.gssd" name="system_bus_socket" dev="tmpfs" ino=17992 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1
AVC avc:  denied  { write } for  pid=1442 comm="rpc.gssd" name="system_bus_socket" dev="tmpfs" ino=17992 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1
AVC avc:  denied  { write } for  pid=1055 comm="rpc.gssd" name="system_bus_socket" dev="tmpfs" ino=17758 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1
AVC avc:  denied  { write } for  pid=1400 comm="rpc.gssd" name="system_bus_socket" dev="tmpfs" ino=17758 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1
AVC avc:  denied  { write } for  pid=1102 comm="rpc.gssd" name="system_bus_socket" dev="tmpfs" ino=13270 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1
AVC avc:  denied  { write } for  pid=1173 comm="rpc.gssd" name="system_bus_socket" dev="tmpfs" ino=13270 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1
AVC avc:  denied  { write } for  pid=1394 comm="rpc.gssd" name="system_bus_socket" dev="tmpfs" ino=13270 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1
AVC avc:  denied  { write } for  pid=1041 comm="rpc.gssd" name="system_bus_socket" dev="tmpfs" ino=18082 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1
AVC avc:  denied  { write } for  pid=1059 comm="rpc.gssd" name="system_bus_socket" dev="tmpfs" ino=18082 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1



~]# cat fixgssproxy.te 

module fixgssproxy 1.0;

require {
        type system_dbusd_var_run_t;
        type systemd_resolved_t;
        type system_dbusd_t;
        type gssproxy_t;
        class capability net_admin;
        class dbus send_msg;
        class sock_file write;
}

#============= gssproxy_t ==============
allow gssproxy_t self:capability net_admin;
allow gssproxy_t system_dbusd_t:dbus send_msg;
allow gssproxy_t system_dbusd_var_run_t:sock_file write;
allow gssproxy_t systemd_resolved_t:dbus send_msg;

#============= systemd_resolved_t ==============
allow systemd_resolved_t gssproxy_t:dbus send_msg;



~]# cat fixrpcgssd.te 

module fixrpcgssd 1.0;

require {
        type system_dbusd_var_run_t;
        type gssd_t;
        class sock_file write;
}

#============= gssd_t ==============
allow gssd_t system_dbusd_var_run_t:sock_file write;
Comment 1 Daniel Walsh 2016-11-28 17:03:18 UTC 
I would check if this would run without the net_admin.  You probably do not need to give this access.

dontaudit gssproxy_t self:capability net_admin;
Comment 2 Anthony Messina 2016-11-29 20:07:38 UTC 
(In reply to Daniel Walsh from comment #1)
> I would check if this would run without the net_admin.  You probably do not
> need to give this access.
> 
> dontaudit gssproxy_t self:capability net_admin;

Thanks Dan.  Upstream gssproxy also states they don't need cap_net_admin.

In enforcing mode, I don't get the gssproxy AVC and things work:
AVC avc:  denied  { net_admin } for  pid=819 comm="gssproxy" capability=12  scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 tclass=capability


However, I still do get the rpc.gssd AVCs related to /run/dbus/system_bus_socket

AVC avc:  denied  { write } for  pid=1964 comm="rpc.gssd" name="system_bus_socket" dev="tmpfs" ino=18837 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=0
Comment 3 Daniel Walsh 2016-11-29 20:26:03 UTC 
Yes this looks like gssd is sending a dbus message to someone. Should be allowed.
Comment 4 Anthony Messina 2017-01-14 18:36:12 UTC 
With recent updates that removed the need to run rpc.gssd in the foreground, I no longer see these issues.