Bug 549507

Summary:	SELinux is preventing /usr/sbin/rpc.gssd "read" access on krb5cc_501_AjUh0E.
Product:	[Fedora] Fedora	Reporter:	Louis Lagendijk <louis>
Component:	selinux-policy	Assignee:	Daniel Walsh <dwalsh>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	12	CC:	dwalsh, mgrepl, nalin, rstrode, steved
Target Milestone:	---
Target Release:	---
Hardware:	x86_64
OS:	Linux
Whiteboard:	setroubleshoot_trace_hash:4ea6cf3d7ac61eabfb90b9104e6b48502a8e476a0306ac78bf97bb54ad6808f8
Fixed In Version:	3.6.32-66.fc12	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2010-01-08 20:09:53 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Louis Lagendijk 2009-12-21 21:26:26 UTC

Summary:

SELinux is preventing /usr/sbin/rpc.gssd "read" access on krb5cc_501_AjUh0E.

Detailed Description:

SELinux denied access requested by rpc.gssd. It is not expected that this access
is required by rpc.gssd and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:gssd_t:s0
Target Context                system_u:object_r:tmp_t:s0
Target Objects                krb5cc_501_AjUh0E [ file ]
Source                        rpc.gssd
Source Path                   /usr/sbin/rpc.gssd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           nfs-utils-1.2.1-4.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-56.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed) 2.6.31.6-166.fc12.x86_64 #1
                              SMP Wed Dec 9 10:46:22 EST 2009 x86_64 x86_64
Alert Count                   19
First Seen                    Mon 14 Dec 2009 07:48:33 PM CET
Last Seen                     Mon 21 Dec 2009 10:24:05 PM CET
Local ID                      130c0159-fbdb-4058-9f48-9b018541d356
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1261430645.903:13): avc:  denied  { read } for  pid=1300 comm="rpc.gssd" name="krb5cc_501_AjUh0E" dev=dm-0 ino=60 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1261430645.903:13): arch=c000003e syscall=2 success=no exit=-13 a0=7f42071d6700 a1=0 a2=180 a3=18 items=0 ppid=1 pid=1300 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.gssd" exe="/usr/sbin/rpc.gssd" subj=system_u:system_r:gssd_t:s0 key=(null)



Hash String generated from  selinux-policy-3.6.32-56.fc12,catchall,rpc.gssd,gssd_t,tmp_t,file,read
audit2allow suggests:

#============= gssd_t ==============
allow gssd_t tmp_t:file read;

Comment 1 Daniel Walsh 2009-12-21 22:41:10 UTC

How was the krb5cc file created?

Comment 2 Daniel Walsh 2009-12-23 14:18:18 UTC

The problem here was the krb5cc file was not created via a normal login so it ended up with an incorrect context.

ls -lZ /tmp/krb5cc_3267
-rw-------. dwalsh dwalsh unconfined_u:object_r:user_tmp_t:s0 /tmp/krb5cc_3267
bash-4.0# ls -lZ /tmp/krb5cc_3267*
-rw-------. dwalsh dwalsh unconfined_u:object_r:user_tmp_t:s0 /tmp/krb5cc_3267
-rw-------. dwalsh dwalsh unconfined_u:object_r:user_tmp_t:s0 /tmp/krb5cc_3267_NcMLrh


It should be labeled user_tmp_t.

Comment 3 Louis Lagendijk 2009-12-31 11:26:22 UTC

All my krb5cc* files are created by login processes, some have user_tmp_t, others have xserver_tmp_t. I use the gdm graphical login....


[louis@travel ~]$ ls -alZ /tmp/krb5cc_*
-rw-------. louis users unconfined_u:object_r:user_tmp_t:s0 /tmp/krb5cc_501_0feHVy
-rw-------. louis users unconfined_u:object_r:user_tmp_t:s0 /tmp/krb5cc_501_12Eq42
-rw-------. louis users unconfined_u:object_r:user_tmp_t:s0 /tmp/krb5cc_501_1Sxtwk
-rw-------. louis users unconfined_u:object_r:user_tmp_t:s0 /tmp/krb5cc_501_2u5qxO
-rw-------. louis users system_u:object_r:xserver_tmp_t:s0 /tmp/krb5cc_501_2VMQXG
-rw-------. louis users system_u:object_r:xserver_tmp_t:s0 /tmp/krb5cc_501_4KyIB5
-rw-------. louis users system_u:object_r:xserver_tmp_t:s0 /tmp/krb5cc_501_4VliSn

[louis@travel ~]$ ps ax |grep gdm
 1715 ?        Ss     0:00 /usr/sbin/gdm-binary -nodaemon
 1757 ?        S      0:00 /usr/libexec/gdm-simple-slave --display-id /org/gnome/DisplayManager/Display1 --force-active-vt
 1758 tty1     Rs+    3:03 /usr/bin/Xorg :0 -nr -verbose -auth /var/run/gdm/auth-for-gdm-AnNl4J/database -nolisten tcp vt1
 1831 ?        S      0:00 pam: gdm-password
 5416 pts/0    S+     0:00 grep gdm

Comment 4 Daniel Walsh 2009-12-31 13:56:34 UTC

Are the xserver_tmp_t ones older?  Could you remove all of the krb5cc files and relogin, and see if some are created with a context other then user_tmp_t?

Comment 5 Louis Lagendijk 2009-12-31 15:09:09 UTC

The xserver_tmp_t get created together with a user_tmp_t one at login. After removing all old  krb5cc* and login I have in /tmp:


-rw-------. louis users system_u:object_r:xserver_tmp_t:s0 /tmp/krb5cc_501_5DX3C8
-rw-------. louis users unconfined_u:object_r:user_tmp_t:s0 /tmp/krb5cc_501_MZ19Hz
-rw-------. root  root  system_u:object_r:gssd_tmp_t:s0  /tmp/krb5cc_machine_FAZANT.NET

Comment 6 Daniel Walsh 2010-01-04 15:54:28 UTC

Ok gssd can read all of the labels here.  So it should work.

I will also allow it to read tmp_t which would probably be a mislabeled file.

Comment 8 Daniel Walsh 2010-01-04 15:55:42 UTC

Fixed in selinux-policy-3.6.32-66.fc12.noarch

Comment 9 Fedora Update System 2010-01-04 21:53:25 UTC

selinux-policy-3.6.32-66.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-66.fc12

Comment 13 Fedora Update System 2010-01-05 22:49:26 UTC

selinux-policy-3.6.32-66.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-0184

Comment 14 Fedora Update System 2010-01-08 20:04:10 UTC

selinux-policy-3.6.32-66.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.