Bug 1665815

Summary: SELinux sometimes prevents sec=krb5 mounts [rhel-7.6.z]
Product: Red Hat Enterprise Linux 7 Reporter: RAD team bot copy to z-stream <autobot-eus-copy>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: urgent Docs Contact: Mirek Jahoda <mjahoda>
Priority: urgent    
Version: 7.4CC: lvrabec, mgrepl, mjahoda, mmalik, plautrba, rvdwees, ssekidde, vmojzis, zpytela
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-229.el7_6.9 Doc Type: Bug Fix
Doc Text:
Previously, an allow rule for the gssd_t type was missing in the SELinux policy. As a consequence, SELinux in enforcing mode occasionally prevented processes running as gssd_t from accessing kernel keyrings of other processes and could block for example sec=krb5 mounts. The rule has been added to the policy, and processes running as gssd_t are now able to access keyrings of other processes.
 Story Points: ---
Clone Of: 1487350 Environment:
Last Closed: 2019-01-29 17:24:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1487350    
Bug Blocks:    

Description RAD team bot copy to z-stream 2019-01-14 07:37:50 UTC 
This bug has been copied from bug #1487350 and has been proposed to be backported to 7.6 z-stream (EUS).
Comment 2 Lukas Vrabec 2019-01-14 11:26:56 UTC 
commit a7ea73e34ec7a875c21939b4ee6339f350598549 (HEAD -> rhel7.6-contrib, origin/rhel7.6-contrib)
Author: Lukas Vrabec <lvrabec>
Date:   Sun Jan 13 20:27:19 2019 +0100

    Allow gssd_t domain to read/write kernel keyrings of every domain.
    Resolves: rhbz#1665815
    
    This looks like a race condition bug in nfs version 4 when NFS is using
    kerberos for security.

commit 629d0bd3ce2797a7caf75ad1d6fea2fe2fcb6e05 (HEAD -> rhel7.6-base, origin/rhel7.6-base)
Author: Lukas Vrabec <lvrabec>
Date:   Sun Jan 13 19:29:52 2019 +0100

    Add interface domain_rw_all_domains_keyrings()
    Resolves: rhbz#1665815
Comment 4 Lukas Vrabec 2019-01-17 15:08:08 UTC 
commit 767a049360aedc2ca2ae42bbd0f7f0c05af1ee0a (HEAD -> rhel7.6-base, origin/rhel7.6-base)
Author: Lukas Vrabec <lvrabec>
Date:   Thu Jan 17 15:47:09 2019 +0100

    Add new interface domain_manage_all_domains_keyrings()
    
    Resolves: rhbz#1665815


commit b51c2dd75b2de1bf691e455026dc937f7d17f49a (HEAD -> rhel7.6-contrib, origin/rhel7.6-contrib)
Author: Lukas Vrabec <lvrabec>
Date:   Thu Jan 17 15:51:28 2019 +0100

    Allow gssd_t domain to manage kernel keyrings of every domain.
    Resolves: rhbz#1665815
    
    This looks like a race condition bug in nfs version 4 when NFS is using kerberos for security.
Comment 8 errata-xmlrpc 2019-01-29 17:24:35 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0192