Bug 1532243

Summary: SELinux is preventing /usr/sbin/rpc.gssd from read access on the key Unknown.
Product: Red Hat Enterprise Linux 7 Reporter: Brian J. Murrell <brian>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED WONTFIX QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact:
Priority: medium    
Version: 7.4CC: herrold, lvrabec, mgrepl, mmalik, orion, plautrba, riehecky, ssekidde, zpytela
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-02-27 15:26:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Brian J. Murrell 2018-01-08 13:15:57 UTC 
SELinux is preventing /usr/sbin/rpc.gssd from read access on the key Unknown.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that rpc.gssd should be allowed read access on the Unknown key by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'rpc.gssd' --raw | audit2allow -M my-rpcgssd
# semodule -i my-rpcgssd.pp


Additional Information:
Source Context                system_u:system_r:gssd_t:s0
Target Context                system_u:system_r:system_cronjob_t:s0-s0:c0.c1023
Target Objects                Unknown [ key ]
Source                        rpc.gssd
Source Path                   /usr/sbin/rpc.gssd
Port                          <Unknown>
Host                          server.interlinx.bc.ca
Source RPM Packages           nfs-utils-1.3.0-0.48.el7_4.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-166.el7_4.7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     server.interlinx.bc.ca
Platform                      Linux server.interlinx.bc.ca
                              3.10.0-693.11.1.el7.x86_64 #1 SMP Mon Dec 4
                              23:52:40 UTC 2017 x86_64 x86_64
Alert Count                   699
First Seen                    2018-01-04 16:43:19 EST
Last Seen                     2018-01-08 02:25:27 EST
Local ID                      3f9f929c-2775-4803-afbe-cdf0e86f3a6b

Raw Audit Messages
type=AVC msg=audit(1515396327.622:23424): avc:  denied  { read } for  pid=946 comm="rpc.gssd" scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 tclass=key


type=SYSCALL msg=audit(1515396327.622:23424): arch=x86_64 syscall=keyctl success=yes exit=EBADF a0=b a1=296a71fb a2=7f7ee002bb30 a3=9 items=0 ppid=1 pid=946 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=rpc.gssd exe=/usr/sbin/rpc.gssd subj=system_u:system_r:gssd_t:s0 key=(null)

Hash: rpc.gssd,gssd_t,system_cronjob_t,key,read
Comment 2 Zdenek Pytela 2019-02-27 15:26:58 UTC 
This issue was not selected to be included in Red Hat Enterprise Linux 7.7 because it is seen either as low or moderate impact to a small number of use-cases. The next release will be in Maintenance Support 1 Phase, which means that qualified Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) may be released as they become available.

We will now close this issue, but if you believe that it qualifies for the Maintenance Support 1 Phase, please re-open; otherwise, we recommend moving the request to Red Hat Enterprise Linux 8 if applicable.