Bug 556632
Summary: | SELinux is preventing /usr/sbin/rpc.gssd "read" access on kdcinfo... | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Anthony Messina <amessina> | ||||
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | low | ||||||
Version: | 12 | CC: | dwalsh, jhrozek, mgrepl, sbose, sgallagh, ssorce | ||||
Target Milestone: | --- | Keywords: | Reopened | ||||
Target Release: | --- | ||||||
Hardware: | i686 | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | 3.6.32-73.fc12 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2010-01-28 01:01:26 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Anthony Messina
2010-01-18 22:46:59 UTC
Is there any reason rpc.gssd would be reading content in /var/lib/rpc.gssd? Other domains that will need this access? kdcinfo.MESSINET.COM is under /var/lib/sss/pubconf and it is used by krb5 libraries when sssd is installed, as sssd drops in a locator plugin. Every process that uses krb5 libraries should be enabled to read /var/lib/sss/pubconf Just like every process that is allowed to call getpwnam() should be allowed to access /var/lib/sss/pipes/nss Created attachment 385426 [details]
Patch to allow kerberos apps to read files in /var/lib/sssd/pubconf
Miroslav can you add this patch to F12?
Fixed in selinux-policy-3.6.32-72.fc12.noarch selinux-policy-3.6.32-73.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-73.fc12 selinux-policy-3.6.32-73.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-0858 Fix confirmed with: selinux-policy-targeted-3.6.32-73.fc12.noarch (In reply to comment #7) > Fix confirmed with: selinux-policy-targeted-3.6.32-73.fc12.noarch I must apologize for closing early... With the above mentioned version (on i686, not x86_64), the error changes to: node=mobile-ws2.chicago.messinet.com type=AVC msg=audit(1264115946.257:31): avc: denied { search } for pid=1013 comm="rpc.gssd" name="pubconf" dev=dm-2 ino=135228 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=dir node=mobile-ws2.chicago.messinet.com type=SYSCALL msg=audit(1264115946.257:31): arch=40000003 syscall=5 success=no exit=-13 a0=1b9d498 a1=8000 a2=0 a3=1bbc008 items=0 ppid=1 pid=1013 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=503 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.gssd" exe="/usr/sbin/rpc.gssd" subj=system_u:system_r:gssd_t:s0 key=(null) ~]# grep pubconf /var/log/audit/audit.log | audit2allow #============= gssd_t ============== allow gssd_t sssd_public_t:dir search; (In reply to comment #8) > ~]# grep pubconf /var/log/audit/audit.log | audit2allow > > > #============= gssd_t ============== > allow gssd_t sssd_public_t:dir search; After putting in that temporary policy fix, I'm back to the original bug report: node=mobile-ws2.chicago.messinet.com type=AVC msg=audit(1264117543.316:49): avc: denied { read } for pid=1013 comm="rpc.gssd" name="kdcinfo.MESSINET.COM" dev=dm-2 ino=134623 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file node=mobile-ws2.chicago.messinet.com type=SYSCALL msg=audit(1264117543.316:49): arch=40000003 syscall=5 success=no exit=-13 a0=1bbca38 a1=8000 a2=0 a3=1bbc6b8 items=0 ppid=1 pid=1013 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=503 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.gssd" exe="/usr/sbin/rpc.gssd" subj=system_u:system_r:gssd_t:s0 key=(null) Karma updated. Miroslav, gssd_read_config_files() Needs to be removed from kerberos_use() Fixed in selinux-policy-3.6.32-76.fc12.noarch selinux-policy-3.6.32-73.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report. |