The latest upstream rpc.gssd change the way it operates when looking for credential caches. It now forks and changes uid/gid to match that of the user it is acting on behalf of. This fails to work in enforcing mode with the following inital AVC: type=AVC msg=audit(1382553437.940:526): avc: denied { setgid } for pid=3988 comm="rpc.gssd" capability=6 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:system_r:gssd_t:s0 tclass=capability I do not see a matching avc for setuid() but I suspect it would crop up as well if the code would proceed as the code now tries to setresgid() first and if successful it does a setresuid(). For some reason I see no AVC at all when I set the mode to permissive. I tested this on Fedora 19, where it would be nice to have selinux changes too, however afaik the nfs-utils change is expected to land only in Fedora 20 (which is why I am filing against F20) so if you want to change this only in F20 I guess that's fine.
I see this sequence after 'setenforce 0' ---- avc: denied { setgid } for pid=11221 comm="rpc.gssd" capability=6 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:system_r:gssd_t:s0 tclass=capability avc: denied { read } for pid=11221 comm="rpc.gssd" scontext=system_u:system_r:gssd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=key avc: denied { write } for pid=11221 comm="rpc.gssd" scontext=system_u:system_r:gssd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=key avc: denied { setattr } for pid=11221 comm="rpc.gssd" scontext=system_u:system_r:gssd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=key ----
3c6e7b512b577a8755aa44132e501b3a62c4c5d2 adds this access to git.
I have to add other key-class related rules to make nfs work: #============= gssd_t ============== allow gssd_t unconfined_t:key { read write setattr }; allow gssd_t xdm_t:key { read write setattr }; #============= local_login_t ============== allow local_login_t gssd_t:key { read write view }; allow local_login_t xdm_t:key { read write setattr }; #============= xdm_t ============== allow xdm_t gssd_t:key { read write view }; allow sshd_t gssd_t:key read; (I am not sure whether they are really required, but related AVCs appear when logging in through 'kdm', on the console or with 'ssh')
Miroslav I think for now in F20 we should just give everyone full access to all key rings and rely on DAC for separation, until we get a sane way to handle this. allow domain domain:key manage_key_perms; I have no idea why these rules above make sense. Key rings should by default get labeled with user types, not random service types.
Ok. Added. #!!!! This avc is allowed in the current policy allow gssd_t unconfined_t:key { read write setattr };
commit 95980bb9fe3c2b945670f0b1a3163d9a07280c11 Author: Miroslav Grepl <mgrepl> Date: Mon Jan 13 10:01:04 2014 +0100 Allow also setgid cap for rpc.gssd commit 2693e85a11b1d98ef1723401038fbcfc0b05f311 Author: Miroslav Grepl <mgrepl> Date: Mon Jan 13 08:41:31 2014 +0100 Add give everyone full access to all key rings
selinux-policy-3.12.1-116.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-116.fc20
Package selinux-policy-3.12.1-116.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-116.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-0806/selinux-policy-3.12.1-116.fc20 then log in and leave karma (feedback).
selinux-policy-3.12.1-116.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.