Bug 457043
Summary: | SELinux prevented the gss daemon from reading unprivileged user temporary files. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Louis Lagendijk <louis> |
Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Ben Levenson <benl> |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | 9 | ||
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2008-11-17 22:05:18 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Louis Lagendijk
2008-07-29 12:31:25 UTC
I have a setup running with NFS4 and Kerberos. The following additional information is reported: Source Context: system_u:system_r:gssd_t:s0Target Context: unconfined_u:object_r:user_tmp_t:s0Target Objects: ./krb5cc_501_CNkzep [ file ]Source: rpc.gssdSource Path: /usr/sbin/rpc.gssdPort: <Unknown>Host: travel.pheasantSource RPM Packages: nfs-utils-1.1.2-2.fc9Target RPM Packages: Policy RPM: selinux-policy-3.3.1-79.fc9Selinux Enabled: TruePolicy Type: targetedMLS Enabled: TrueEnforcing Mode: EnforcingPlugin Name: allow_gssd_read_tmpHost Name: travel.pheasantPlatform: Linux travel.pheasant 2.6.25.11-97.fc9.x86_64 #1 SMP Mon Jul 21 01:09:10 EDT 2008 x86_64 x86_64Alert Count: 7First Seen: Tue 29 Jul 2008 09:26:27 AM CESTLast Seen: Tue 29 Jul 2008 02:19:40 PM CESTLocal ID: ab7e7fb7-f0f5-474b-9f19-7cde81979ec7Line Numbers: Raw Audit Messages :host=travel.pheasant type=AVC msg=audit(1217333980.885:83): avc: denied { write } for pid=2380 comm="rpc.gssd" name="krb5cc_501_CNkzep" dev=dm-1 ino=24607 scontext=system_u:system_r:gssd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file host=travel.pheasant type=SYSCALL msg=audit(1217333980.885:83): arch=c000003e syscall=2 success=no exit=-13 a0=7fffcfec2520 a1=2 a2=180 a3=0 items=0 ppid=1 pid=2380 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=501 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.gssd" exe="/usr/sbin/rpc.gssd" subj=system_u:system_r:gssd_t:s0 key=(null) Userid 501 is the one curently logged on to the Gnome desktop Does everything seem to be working correctly? I believe this is just the kerberos library doing wacky stuff. It checks whether the process as WRITE access to all files, and this would generate the AVC even though the rpc never tried to actually write to the file. So we can dontaudit the access. You can allow this for now. # audit2allow -M mypol -l -i /var/log/audit/audit.log # semodule -i mypol.pp Fixed in selinux-policy-3.3.1-81.fc9.noarch Applied, thanks for the prompt reply. I am really impressed. I was mainly worried about the fact that the recommended solution (set allow_gssd_read_tmp) did not work. Just this week I got around to removing my local policy, as I have version 3.3.1-87.fc9 installed. I now have the alerts back. Is the fix really included in the latest policy? The changelog does not mention the fix, so it seems to have got lost? Nope there was a bug Fixed in selinux-policy-3.3.1-92.fc9.noarch Closing all bugs that have been in modified for over a month. Please reopen if the bug is not actually fixed. |