Bug 1951093
| Summary: | RFE: Grant rpc.gssd access to $HOME/.k5identity in selinux-policy | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Jacob Shivers <jshivers> | |
| Component: | selinux-policy | Assignee: | Patrik Koncity <pkoncity> | |
| Status: | CLOSED ERRATA | QA Contact: | Amith <apeetham> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | medium | |||
| Version: | 8.5 | CC: | dwysocha, lvrabec, mmalik, pkoncity, plautrba, ssekidde, steved, toneata, yoyang, zpytela | |
| Target Milestone: | beta | Keywords: | FutureFeature, Triaged, ZStream | |
| Target Release: | 8.5 | Flags: | pm-rhel:
mirror+
|
|
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | selinux-policy-3.14.3-71.el8 | Doc Type: | Enhancement | |
| Doc Text: |
Feature:
Support in selinux-policy to allow rpc.gssd apply the rules from $HOME/.k5identity
Reason:
BZ#1868087 extends the rpc.gssd capability to scan for $HOME/.k5identity to know the preferred UPN when reading the user's DEFCKTNAME, but SELinux prevents access to $HOME and $HOME/.k5identity.
Result:
rpc.ggsd has access to the required files so that it is manageable which Kerberos principals are used to access a given resource.
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 1980610 1995594 (view as bug list) | Environment: | ||
| Last Closed: | 2021-11-09 19:43:05 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1868087, 1995594 | |||
|
Description
Jacob Shivers
2021-04-19 15:47:27 UTC
(In reply to Jacob Shivers from comment #0) Hi Jacob, Could you more explain step by step how reproduce this bug? > Steps to Reproduce: Also could you sent link of nfs-utils rpm? It seem's like links in another bugzilla already aren't valid. > 1. Install nfs-utils from BZ1868087 > 2. Create user $HOME/.k5identity file for test user. > 3. Mount then access Kerberized NFS share as user leveraging DEFCKTNAME (In reply to Patrik Koncity from comment #3) > (In reply to Jacob Shivers from comment #0) > > Hi Jacob, > > Could you more explain step by step how reproduce this bug? > Certainly > > Steps to Reproduce: > > Also could you sent link of nfs-utils rpm? It seem's like links in another > bugzilla already aren't valid. > > > 1. Install nfs-utils from BZ1868087 > > 2. Create user $HOME/.k5identity file for test user. > > 3. Mount then access Kerberized NFS share as user leveraging DEFCKTNAME The original test rpms have expired, but I have original copies saved at http://file.rdu.redhat.com/~jshivers/test_rpms/bugzillas/1868087/. Updated test RPMs can also be found at https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=36725096 for the 8.5 candidate test. This setup will require a Kerberized environment with a NFS server configured to support Kerberos and a NFS client joined to the same Kerberos realm. c#18 in BZ1868087 goes over the client configuration setup, but the existing infrastructure may be what requires further explanation. QA for fs has an environment that was used for testing. If this environment can not be accessed, I can certainly set something up that can be accessed for testing and review. I have an older document, that needs updating including for RHEL8, here ( http://file.rdu.redhat.com/~jshivers/configs/ipa-install_training ) to go over setting up an IPA environment for Kerberzied remote filesystems. If anything more specific is needed or further clarity requested, please inform me. As https://bugzilla.redhat.com/show_bug.cgi?id=1868087#c33 --- type=AVC msg=audit(1620890462.356:230): avc: denied { search } for pid=20665 comm="rpc.gssd" name="testUser" dev="dm-0" ino=67330672 scontext=system_u:system_r:gssd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=0 If this is the warning that going to be fixed, I can verify the new package with our nfs testcase. (In reply to Yongcheng Yang from comment #5) > As https://bugzilla.redhat.com/show_bug.cgi?id=1868087#c33 > --- > type=AVC msg=audit(1620890462.356:230): avc: denied { search } for > pid=20665 comm="rpc.gssd" name="testUser" dev="dm-0" ino=67330672 > scontext=system_u:system_r:gssd_t:s0 > tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=0 > > If this is the warning that going to be fixed, I can verify the new package > with our nfs testcase. It should be that error and an open/read error for .k5identity like seen in https://bugzilla.redhat.com/show_bug.cgi?id=1868087#c18 commit 05bacfed6df3f336c50326c7c6f4c3677c7f7d70
Author: Jacob Shivers <jshivers>
Date: Mon Mar 15 09:22:57 2021 -0400
gssd: Add options to rpc.gssd to allow for the use of $HOME/.k5identity file
(In reply to Steve Dickson from comment #7) > commit 05bacfed6df3f336c50326c7c6f4c3677c7f7d70 > Author: Jacob Shivers <jshivers> > Date: Mon Mar 15 09:22:57 2021 -0400 > > gssd: Add options to rpc.gssd to allow for the use of $HOME/.k5identity > file Hi SteveD, JFYI that this bug is for selinux-policy (NOT nfs-utils). Above patch you mentioned has already been imported as https://bugzilla.redhat.com/show_bug.cgi?id=1868087#c22 (In reply to Yongcheng Yang from comment #8) > (In reply to Steve Dickson from comment #7) > > commit 05bacfed6df3f336c50326c7c6f4c3677c7f7d70 > > Author: Jacob Shivers <jshivers> > > Date: Mon Mar 15 09:22:57 2021 -0400 > > > > gssd: Add options to rpc.gssd to allow for the use of $HOME/.k5identity > > file > > Hi SteveD, JFYI that this bug is for selinux-policy (NOT nfs-utils). > > Above patch you mentioned has already been imported as > https://bugzilla.redhat.com/show_bug.cgi?id=1868087#c22 Thanks! I like bugs like this!!! :-) Hi Jacob, So I made build with possible fix. I label $HOME/.k5identity file as other kerberos files in $HOME and also allow additional permission, which I saw in c#18 BZ1868087 in AVC's. Please, can you try this build if everything work properly? Build: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=37215666 Thanks, Patrik (In reply to Patrik Koncity from comment #11) > Hi Jacob, Hello Patrik, > > So I made build with possible fix. I label $HOME/.k5identity file as other > kerberos files in $HOME and also allow additional permission, which I saw in > c#18 BZ1868087 in AVC's. > > Please, can you try this build if everything work properly? I have tested the build and can confirm that it works properly by allowing rpc.gssd the necessary access to $HOME/.k5identity. Testing below. I will note that I had already done a previous chcon for .k5identity so this is why the label is already different. # wget 'http://brew-task-repos.usersys.redhat.com/repos/scratch/pkoncity/selinux-policy/3.14.3/67.el8.1951093/selinux-policy-3.14.3-67.el8.1951093-scratch.repo' -P /etc/yum.repos.d/ # dnf update selinux-policy # systemctl reboot # grep -v '#' /etc/nfs.conf [general] [exportfs] [gssd] verbosity=3 use-gss-proxy=1 set-home=0 [lockd] [mountd] [nfsdcld] [nfsdcltrack] [nfsd] [statd] [sm-notify] # strace -fvttTyyx -s 4096 -o /tmp/rpc.gssd_with_H-rhel8.strace -p $(pidof rpc.gssd) & # getenforce Enforcing # mount ad-nfs-server.example.net:/secure /mnt/ -o sec=krb5 # su - dean $ cat .k5identity jeff host=win2k16-*.example.net service=nfs troy host=samba-701.example.net dean host=*.example.net service=nfs $ ls -lZ .k5identity -rw-r--r--. 1 dean domain users unconfined_u:object_r:krb5_home_t:s0 179 Feb 7 15:15 .k5identity $ klist klist: No credentials cache found (filename: /tmp/krb5cc_602001124) $ touch /mnt/gssd_with_H-rhel8-$(date +%F).txt strace: Process 1739 attached $ ll /mnt/gssd_with_H-rhel8-$(date +%F).txt -rw-r--r--. 1 dean root 0 Jun 3 11:45 /mnt/gssd_with_H-rhel8-2021-06-03.txt $ klist Ticket cache: FILE:/tmp/krb5cc_602001124 Default principal: dean Valid starting Expires Service principal 06/03/2021 11:45:19 06/03/2021 12:00:19 krbtgt/EXAMPLE.NET 06/03/2021 11:45:19 06/03/2021 12:00:19 nfs/ad-nfs-server.example.net $ logout # pkill strace # ausearch -m avc -i -c rpc.gssd -ts today <no matches> # egrep 'geteuid|open.*k5identity' /tmp/rpc.gssd_with_H-rhel8.strace | tail -2 1739 11:45:18.317400 geteuid() = 602001124 <0.000015> 1739 11:45:18.317527 openat(AT_FDCWD, "/home/dean/.k5identity", O_RDONLY) = 14</home/dean/.k5identity> <0.000180> Thanks for the test package. Hi, that's great. So I made PR and after merging it we will deliver this fix to selinux-policy on RHEL-8.5.0. PR: https://github.com/fedora-selinux/selinux-policy/pull/767 Thanks, Patrik Commit to backport:
commit 434cb2a6cb4092f49f4bba0f045f28c3660d97d1 (HEAD -> rawhide, upstream/rawhide)
Author: Patrik Koncity <pkoncity>
Date: Mon May 31 15:15:33 2021 +0200
Label /.k5identity file allow read of this file to rpc.gssd
Label kerberos file $HOME/.k5identity as krb5_home_t, which
is default label for kerberos files in HOME. Also add
filetransition for this specific object to
kerberos_filetrans_admin_home_content() and
kerberos_filetrans_home_content(). And also allow
read this HOME kerberos files for rpc.gssd. Rpc.gssd is
daemon, which provide strong security for RPC-based protocols
such as NFS.
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1951093
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:4420 |