Bug 1665815
Summary: | SELinux sometimes prevents sec=krb5 mounts [rhel-7.6.z] | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | RAD team bot copy to z-stream <autobot-eus-copy> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
Severity: | urgent | Docs Contact: | Mirek Jahoda <mjahoda> |
Priority: | urgent | ||
Version: | 7.4 | CC: | lvrabec, mgrepl, mjahoda, mmalik, plautrba, rvdwees, ssekidde, vmojzis, zpytela |
Target Milestone: | rc | Keywords: | ZStream |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.13.1-229.el7_6.9 | Doc Type: | Bug Fix |
Doc Text: |
Previously, an allow rule for the gssd_t type was missing in the SELinux policy. As a consequence, SELinux in enforcing mode occasionally prevented processes running as gssd_t from accessing kernel keyrings of other processes and could block for example sec=krb5 mounts. The rule has been added to the policy, and processes running as gssd_t are now able to access keyrings of other processes.
|
Story Points: | --- |
Clone Of: | 1487350 | Environment: | |
Last Closed: | 2019-01-29 17:24:35 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1487350 | ||
Bug Blocks: |
Description
RAD team bot copy to z-stream
2019-01-14 07:37:50 UTC
commit a7ea73e34ec7a875c21939b4ee6339f350598549 (HEAD -> rhel7.6-contrib, origin/rhel7.6-contrib) Author: Lukas Vrabec <lvrabec> Date: Sun Jan 13 20:27:19 2019 +0100 Allow gssd_t domain to read/write kernel keyrings of every domain. Resolves: rhbz#1665815 This looks like a race condition bug in nfs version 4 when NFS is using kerberos for security. commit 629d0bd3ce2797a7caf75ad1d6fea2fe2fcb6e05 (HEAD -> rhel7.6-base, origin/rhel7.6-base) Author: Lukas Vrabec <lvrabec> Date: Sun Jan 13 19:29:52 2019 +0100 Add interface domain_rw_all_domains_keyrings() Resolves: rhbz#1665815 commit 767a049360aedc2ca2ae42bbd0f7f0c05af1ee0a (HEAD -> rhel7.6-base, origin/rhel7.6-base) Author: Lukas Vrabec <lvrabec> Date: Thu Jan 17 15:47:09 2019 +0100 Add new interface domain_manage_all_domains_keyrings() Resolves: rhbz#1665815 commit b51c2dd75b2de1bf691e455026dc937f7d17f49a (HEAD -> rhel7.6-contrib, origin/rhel7.6-contrib) Author: Lukas Vrabec <lvrabec> Date: Thu Jan 17 15:51:28 2019 +0100 Allow gssd_t domain to manage kernel keyrings of every domain. Resolves: rhbz#1665815 This looks like a race condition bug in nfs version 4 when NFS is using kerberos for security. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:0192 |