Bug 704261

Summary: avc: denied { getattr } for pid=1142 comm="rpc.gssd" path="/tmp/krb5cc_1744_Gfgmsi1529" dev=tmpfs ino=13247 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:sshd_tmp_t:s0 tclass=file
Product: Red Hat Enterprise Linux 6 Reporter: Orion Poplawski <orion>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NEXTRELEASE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.0CC: dwalsh, mgrepl
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-05-13 08:54:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Orion Poplawski 2011-05-12 15:40:47 UTC 
Description of problem:

I'm using ssh kerberos ticket forwarding. rpc.gssd is not able to read my kerberos ticket cache:

type=AVC msg=audit(1305214340.580:25): avc:  denied  { getattr } for  pid=1142 comm="rpc.gssd" path="/tmp/krb5cc_1744_Gfgmsi1529" dev=tmpfs ino=13247 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:sshd_tmp_t:s0 tclass=file

[root@vmsl6 ~]# getsebool -a | grep gss
allow_gssd_read_tmp --> on
[root@vmsl6 ~]# restorecon -r -v /tmp

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-54.el6_0.5.noarch

If I run kinit, the new ticket cache gets created with user_tmp_t permissions and everything works.
Comment 2 Miroslav Grepl 2011-05-12 16:28:33 UTC 
This should be fixed in the latest RHEL6 policy. 

http://people.redhat.com/dwalsh/SELinux/RHEL6/noarch/
Comment 3 Orion Poplawski 2011-05-12 17:07:45 UTC 
Confirmed.  Files get created with user_tmp_t:

-rw-------. orion cora unconfined_u:object_r:user_tmp_t:s0 krb5cc_1744_wMvNpY4397

Thanks.
Comment 4 RHEL Program Management 2011-05-13 06:00:52 UTC 
Since RHEL 6.1 External Beta has begun, and this bug remains
unresolved, it has been rejected as it is not proposed as
exception or blocker.

Red Hat invites you to ask your support representative to
propose this request, if appropriate and relevant, in the
next release of Red Hat Enterprise Linux.
Comment 5 Miroslav Grepl 2011-05-13 08:54:24 UTC 
Great.