Bug 1022674 - avc prevents newer rpc.gssd from working
avc prevents newer rpc.gssd from working
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
20
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-10-23 14:50 EDT by Simo Sorce
Modified: 2014-01-16 02:09 EST (History)
7 users (show)

See Also:
Fixed In Version: selinux-policy-3.12.1-116.fc20
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-01-16 02:09:01 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Simo Sorce 2013-10-23 14:50:33 EDT
The latest upstream rpc.gssd change the way it operates when looking for credential caches.

It now forks and changes uid/gid to match that of the user it is acting on behalf of.

This fails to work in enforcing mode with the following inital AVC:
type=AVC msg=audit(1382553437.940:526): avc:  denied  { setgid } for  pid=3988 comm="rpc.gssd" capability=6  scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:system_r:gssd_t:s0 tclass=capability

I do not see a matching avc for setuid() but I suspect it would crop up as well if the code would proceed as the code now tries to setresgid() first and if successful it does a setresuid().
For some reason I see no AVC at all when I set the mode to permissive.

I tested this on Fedora 19, where it would be nice to have selinux changes too, however afaik the nfs-utils change is expected to land only in Fedora 20 (which is why I am filing against F20) so if you want to change this only in F20 I guess that's fine.
Comment 1 Enrico Scholz 2014-01-06 18:00:01 EST
I see this sequence after 'setenforce 0'

----
avc:  denied  { setgid } for  pid=11221 comm="rpc.gssd" capability=6  scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:system_r:gssd_t:s0 tclass=capability
avc:  denied  { read } for  pid=11221 comm="rpc.gssd" scontext=system_u:system_r:gssd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=key
avc:  denied  { write } for  pid=11221 comm="rpc.gssd" scontext=system_u:system_r:gssd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=key
avc:  denied  { setattr } for  pid=11221 comm="rpc.gssd" scontext=system_u:system_r:gssd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=key
----
Comment 2 Daniel Walsh 2014-01-07 10:06:01 EST
3c6e7b512b577a8755aa44132e501b3a62c4c5d2 adds this access to git.
Comment 3 Enrico Scholz 2014-01-10 07:18:31 EST
I have to add other key-class related rules to make nfs work:

#============= gssd_t ==============
allow gssd_t unconfined_t:key { read write setattr };
allow gssd_t xdm_t:key { read write setattr };

#============= local_login_t ==============
allow local_login_t gssd_t:key { read write view };
allow local_login_t xdm_t:key { read write setattr };

#============= xdm_t ==============
allow xdm_t gssd_t:key { read write view };
allow sshd_t gssd_t:key read;

(I am not sure whether they are really required, but related AVCs appear when logging in through 'kdm', on the console or with 'ssh')
Comment 4 Daniel Walsh 2014-01-10 13:24:44 EST
Miroslav I think for now in F20 we should just give everyone full access to all key rings and rely on DAC for separation, until we get a sane way to handle this.

allow domain domain:key manage_key_perms;

I have no idea why these rules above make sense.  Key rings should by default get labeled with user types, not random service types.
Comment 5 Miroslav Grepl 2014-01-13 04:00:10 EST
Ok. Added.


#!!!! This avc is allowed in the current policy
allow gssd_t unconfined_t:key { read write setattr };
Comment 6 Miroslav Grepl 2014-01-13 04:01:34 EST
commit 95980bb9fe3c2b945670f0b1a3163d9a07280c11
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Mon Jan 13 10:01:04 2014 +0100

    Allow also setgid cap for rpc.gssd


commit 2693e85a11b1d98ef1723401038fbcfc0b05f311
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Mon Jan 13 08:41:31 2014 +0100

    Add give everyone full access to all key rings
Comment 7 Fedora Update System 2014-01-13 17:54:49 EST
selinux-policy-3.12.1-116.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-116.fc20
Comment 8 Fedora Update System 2014-01-15 00:56:30 EST
Package selinux-policy-3.12.1-116.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-116.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-0806/selinux-policy-3.12.1-116.fc20
then log in and leave karma (feedback).
Comment 9 Fedora Update System 2014-01-16 02:09:01 EST
selinux-policy-3.12.1-116.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.