Bug 1740540
| Summary: | [RHEL 8.1] avc: denied { search } for comm="rpc.gssd" name="krb5" dev="dm-0" | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Yongcheng Yang <yoyang> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED DUPLICATE | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 8.1 | CC: | lvrabec, mmalik, plautrba, ssekidde, xzhou, zpytela |
| Target Milestone: | rc | Keywords: | Regression, Reproducer |
| Target Release: | 8.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.14.3-15.el8 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-08-13 11:48:59 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
*** This bug has been marked as a duplicate of bug 1730144 *** |
Description of problem: Get a new rpc.gssd AVC warning during our RHEL-8.1.0-20190806.2 Kerberos NFS tests: ''' type=AVC msg=audit(1565683878.027:1500): avc: denied { search } for pid=46828 comm="rpc.gssd" name="krb5" dev="dm-0" ino=33566251 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=0 ''' Seemingly it occurs when a user reaching files of different UID via Kerberos NFS. It doesn't affect the function, i.e. file still be reachable as previously. Version-Release number of selected component (if applicable): selinux-policy-3.14.3-13.el8 within RHEL-8.1.0-20190806.2 ^^^^^^^^^^ failed selinux-policy-3.14.3-9.el8 within RHEL-8.1.0-20190701.0 ^^^^^^^^^ good How reproducible: always Steps to Reproduce: 1. please find in "Actual results" Actual results: [root.0 ~]# useradd krbuser [root.0 ~]# kadmin -p root/admin -w redhat -q 'addprinc -pw redhat krbuser' Authenticating as principal root/admin with password. WARNING: no policy specified for krbuser; defaulting to no policy Principal "krbuser" created. [root.0 ~]# su krbuser -c 'echo redhat | kinit -l 10m -r 60m' Password for testuser: [root.0 ~]# [root.0 ~]# grep denied /var/log/audit/audit.log [root.0 ~]# date > /mnt/file.root [root.0 ~]# ll /mnt/ total 1028 -rw-------. 1 krbuser krbuser 1048576 Aug 13 04:07 file.krb -rw-r--r--. 1 nobody nobody 29 Aug 13 04:11 file.root [root.0 ~]# cat /mnt/file.krb cat: /mnt/file.krb: Permission denied [root.0 ~]# cat /mnt/file.root Tue Aug 13 04:11:00 EDT 2019 [root.0 ~]# grep denied /var/log/audit/audit.log [root.0 ~]# su krbuser -c 'cat /mnt/file.root' <<<<< AVC warning triggered Tue Aug 13 04:11:00 EDT 2019 [root.0 ~]# grep denied /var/log/audit/audit.log type=AVC msg=audit(1565683878.027:1500): avc: denied { search } for pid=46828 comm="rpc.gssd" name="krb5" dev="dm-0" ino=33566251 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=0 [root.0 ~]# [root.0 ~]# rpm -q selinux-policy nfs-utils kernel selinux-policy-3.14.3-13.el8.noarch nfs-utils-2.3.3-23.el8.x86_64 kernel-4.18.0-128.el8.x86_64 Expected results: No AVC warning Additional info: # failed beaker job in RHEL-8.1.0-20190806.2 https://beaker.engineering.redhat.com/recipes/7225910#task97576284 # passed beaker job in RHEL-8.1.0-20190701.0 (same nfs-utils version with above job) https://beaker.engineering.redhat.com/recipes/7194089#task97216253