Bug 1127721 - AVC denial in rpc.gssd
Summary: AVC denial in rpc.gssd
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy
Version: 5.11
Hardware: x86_64
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-08-07 12:09 UTC by Xiyang Dong
Modified: 2017-04-18 21:54 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-04-18 21:54:33 UTC


Attachments (Terms of Use)

Description Xiyang Dong 2014-08-07 12:09:35 UTC
Description of problem:
AVC denial in rpc.gssd 

Version-Release number of selected component (if applicable):
this happens in rhel7.0 but not in rhel6.6
selinux-policy-2.4.6-350.el5
sssd-1.5.1-71.el5
nfs-utils-1.0.9-71.el5

How reproducible:
Always

Steps to Reproduce:
test case I ran:

    rlPhaseStartTest "ipa-client-cert-client-008:ipa client NFS4 Kerberized mount"
        rlRun "kinitAs $ADMINID $ADMINPW" 0 "Kinit as admin user"
        client_version=`cat /etc/redhat-release |cut -d " " -f7`
        #If IPA Client is in pre-rhel6,then add allow_weak_crypto = true to all servers/clients,then restart sssd service
        if [ $(echo $client_version|grep "5\.[0-15]"|wc -l) -gt 0 ] || [ $(echo $client_version|grep "6\.[0-15]"|wc -l) -gt 0 ];then
            rlRun "sed -i 's/\[libdefaults\]/[libdefaults]\n allow_weak_crypto = true/' /etc/krb5.conf" 0 "add allow_weak_crypto = true to /etc/krb5.conf"
            rlRun "service sssd restart" 0 "restart sssd status"
        fi
        #If IPA Client is pre-rhel7, download IPA Client NFS service keytab
        if [ $(echo $client_version|grep "5\.[0-15]"|wc -l) -gt 0 ] || [ $(echo $client_version|grep "6\.[0-15]"|wc -l) -gt 0 ];then
            rlRun "ipa-getkeytab -k /etc/krb5.keytab -s $MASTER -p nfs/$CLIENT" 0 "download IPA client NFS service keytab"
        fi
        rlRun "echo 'SECURE_NFS=\"yes\"' >> /etc/sysconfig/nfs" 0 "configure NFS service to use kerberos server as authentication server"
        rlRun "service rpcgssd restart;service rpcidmapd restart" 0 "restart NFS client services"
        #If IPA Client is pre-rhel7,restart portmap, if IPA client is rhel7 or later, restart rpcbind
        if [ $(echo $client_version|grep "5\.[0-15]"|wc -l) -gt 0 ] || [ $(echo $client_version|grep "6\.[0-15]"|wc -l) -gt 0 ];then
            rlRun "service portmap restart" 0 "restart portmap"
        else
            rlRun "service rpcbind restart" 0 "restart rpcbind"
        fi
        rlRun "mkdir /nfsdir" 0 "creat mount point dir"
        rlRun "mount -o sec=krb5p -t nfs4 $MASTER:/export /nfsdir" 0 "mount export dir"
        rlRun "mount -s|grep nfsdir" 0 "verify that export dir is mounted on client successfully"
        kdestroy
    rlPhaseEnd


Actual results:

Info: Searching AVC errors produced since 1407357255 (Wed Aug  6 16:34:15 2014)
Searching logs...
Running '/usr/bin/env LC_ALL=en_US.UTF-8 /sbin/ausearch -m AVC -m USER_AVC -m SELINUX_ERR -ts 08/06/2014 16:34:15 < /dev/null >/mnt/testarea/tmp.rhts-db-submit-result.8ClEsa 2>&1'
----
time->Wed Aug  6 16:35:06 2014
type=SYSCALL msg=audit(1407357306.502:51): arch=c000003e syscall=21 success=no exit=-13 a0=3ae3250 a1=2 a2=2abb78635ba0 a3=0 items=0 ppid=20584 pid=20585 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sssd_be" exe="/usr/libexec/sssd/sssd_be" subj=root:system_r:sssd_t:s0 key=(null)
type=AVC msg=audit(1407357306.502:51): avc:  denied  { write } for  pid=20585 comm="sssd_be" name="krb5.conf" dev=dm-0 ino=2950802 scontext=root:system_r:sssd_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file
----
time->Wed Aug  6 16:35:07 2014
type=SYSCALL msg=audit(1407357307.704:52): arch=c000003e syscall=21 success=no exit=-13 a0=2adb38cdd630 a1=2 a2=d a3=0 items=0 ppid=20718 pid=20719 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.gssd" exe="/usr/sbin/rpc.gssd" subj=root:system_r:gssd_t:s0 key=(null)
type=AVC msg=audit(1407357307.704:52): avc:  denied  { write } for  pid=20719 comm="rpc.gssd" name="krb5.conf" dev=dm-0 ino=2950802 scontext=root:system_r:gssd_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file
----
time->Wed Aug  6 16:35:08 2014
type=SYSCALL msg=audit(1407357308.762:53): arch=c000003e syscall=21 success=no exit=-13 a0=2adb38ce2350 a1=2 a2=2adb1ae6dba0 a3=65726373662f7274 items=0 ppid=1 pid=20719 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.gssd" exe="/usr/sbin/rpc.gssd" subj=root:system_r:gssd_t:s0 key=(null)
type=AVC msg=audit(1407357308.762:53): avc:  denied  { write } for  pid=20719 comm="rpc.gssd" name="krb5.conf" dev=dm-0 ino=2950802 scontext=root:system_r:gssd_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file
----
time->Wed Aug  6 16:35:08 2014
type=SYSCALL msg=audit(1407357308.763:54): arch=c000003e syscall=21 success=no exit=-13 a0=2adb38ce2350 a1=2 a2=2adb1ae6dba0 a3=65726373662f7274 items=0 ppid=1 pid=20719 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.gssd" exe="/usr/sbin/rpc.gssd" subj=root:system_r:gssd_t:s0 key=(null)
type=AVC msg=audit(1407357308.763:54): avc:  denied  { write } for  pid=20719 comm="rpc.gssd" name="krb5.conf" dev=dm-0 ino=2950802 scontext=root:system_r:gssd_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file
----
time->Wed Aug  6 16:35:08 2014
type=SYSCALL msg=audit(1407357308.764:55): arch=c000003e syscall=21 success=no exit=-13 a0=2adb38ce2350 a1=2 a2=2adb1ae6dba0 a3=65726373662f7274 items=0 ppid=1 pid=20719 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.gssd" exe="/usr/sbin/rpc.gssd" subj=root:system_r:gssd_t:s0 key=(null)
type=AVC msg=audit(1407357308.764:55): avc:  denied  { write } for  pid=20719 comm="rpc.gssd" name="krb5.conf" dev=dm-0 ino=2950802 scontext=root:system_r:gssd_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file
----
time->Wed Aug  6 16:35:08 2014
type=SYSCALL msg=audit(1407357308.765:56): arch=c000003e syscall=21 success=no exit=-13 a0=2adb38ce0e80 a1=2 a2=2adb1ae6dba0 a3=65726373662f7274 items=0 ppid=1 pid=20719 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.gssd" exe="/usr/sbin/rpc.gssd" subj=root:system_r:gssd_t:s0 key=(null)
type=AVC msg=audit(1407357308.765:56): avc:  denied  { write } for  pid=20719 comm="rpc.gssd" name="krb5.conf" dev=dm-0 ino=2950802 scontext=root:system_r:gssd_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file
----
time->Wed Aug  6 16:35:08 2014
type=SYSCALL msg=audit(1407357308.765:57): arch=c000003e syscall=21 success=no exit=-13 a0=2adb38ce4100 a1=2 a2=2adb1ae6dba0 a3=65726373662f7274 items=0 ppid=1 pid=20719 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.gssd" exe="/usr/sbin/rpc.gssd" subj=root:system_r:gssd_t:s0 key=(null)
type=AVC msg=audit(1407357308.765:57): avc:  denied  { write } for  pid=20719 comm="rpc.gssd" name="krb5.conf" dev=dm-0 ino=2950802 scontext=root:system_r:gssd_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file
----
time->Wed Aug  6 16:35:08 2014
type=SYSCALL msg=audit(1407357308.766:58): arch=c000003e syscall=21 success=no exit=-13 a0=2adb38ce4140 a1=2 a2=2adb1ae6dba0 a3=65726373662f7274 items=0 ppid=1 pid=20719 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.gssd" exe="/usr/sbin/rpc.gssd" subj=root:system_r:gssd_t:s0 key=(null)
type=AVC msg=audit(1407357308.766:58): avc:  denied  { write } for  pid=20719 comm="rpc.gssd" name="krb5.conf" dev=dm-0 ino=2950802 scontext=root:system_r:gssd_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file
----
time->Wed Aug  6 16:35:08 2014
type=SYSCALL msg=audit(1407357308.766:59): arch=c000003e syscall=21 success=no exit=-13 a0=2adb38ce44c0 a1=2 a2=2adb1ae6dba0 a3=65726373662f7274 items=0 ppid=1 pid=20719 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.gssd" exe="/usr/sbin/rpc.gssd" subj=root:system_r:gssd_t:s0 key=(null)
type=AVC msg=audit(1407357308.766:59): avc:  denied  { write } for  pid=20719 comm="rpc.gssd" name="krb5.conf" dev=dm-0 ino=2950802 scontext=root:system_r:gssd_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file
----
time->Wed Aug  6 16:35:08 2014
type=SYSCALL msg=audit(1407357308.766:60): arch=c000003e syscall=21 success=no exit=-13 a0=2adb38ce44c0 a1=2 a2=2adb1ae6dba0 a3=65726373662f7274 items=0 ppid=1 pid=20719 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.gssd" exe="/usr/sbin/rpc.gssd" subj=root:system_r:gssd_t:s0 key=(null)
type=AVC msg=audit(1407357308.766:60): avc:  denied  { write } for  pid=20719 comm="rpc.gssd" name="krb5.conf" dev=dm-0 ino=2950802 scontext=root:system_r:gssd_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file
----
time->Wed Aug  6 16:35:08 2014
type=SYSCALL msg=audit(1407357308.767:61): arch=c000003e syscall=21 success=no exit=-13 a0=2adb38ce44c0 a1=2 a2=2adb1ae6dba0 a3=65726373662f7274 items=0 ppid=1 pid=20719 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.gssd" exe="/usr/sbin/rpc.gssd" subj=root:system_r:gssd_t:s0 key=(null)
type=AVC msg=audit(1407357308.767:61): avc:  denied  { write } for  pid=20719 comm="rpc.gssd" name="krb5.conf" dev=dm-0 ino=2950802 scontext=root:system_r:gssd_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file
----
time->Wed Aug  6 16:35:08 2014
type=SYSCALL msg=audit(1407357308.767:62): arch=c000003e syscall=21 success=no exit=-13 a0=2adb38ce0ef0 a1=2 a2=2adb1ae6dba0 a3=65726373662f7274 items=0 ppid=1 pid=20719 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.gssd" exe="/usr/sbin/rpc.gssd" subj=root:system_r:gssd_t:s0 key=(null)
type=AVC msg=audit(1407357308.767:62): avc:  denied  { write } for  pid=20719 comm="rpc.gssd" name="krb5.conf" dev=dm-0 ino=2950802 scontext=root:system_r:gssd_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file
----
time->Wed Aug  6 16:35:08 2014
type=SYSCALL msg=audit(1407357308.774:63): arch=c000003e syscall=21 success=no exit=-13 a0=2adb38ce0ef0 a1=2 a2=2adb1ae6dba0 a3=65726373662f7274 items=0 ppid=1 pid=20719 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.gssd" exe="/usr/sbin/rpc.gssd" subj=root:system_r:gssd_t:s0 key=(null)
type=AVC msg=audit(1407357308.774:63): avc:  denied  { write } for  pid=20719 comm="rpc.gssd" name="krb5.conf" dev=dm-0 ino=2950802 scontext=root:system_r:gssd_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file
----
time->Wed Aug  6 16:35:08 2014
type=SYSCALL msg=audit(1407357308.775:64): arch=c000003e syscall=21 success=no exit=-13 a0=2adb38ce0ef0 a1=2 a2=2adb1ae6dba0 a3=65726373662f7274 items=0 ppid=1 pid=20719 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.gssd" exe="/usr/sbin/rpc.gssd" subj=root:system_r:gssd_t:s0 key=(null)
type=AVC msg=audit(1407357308.775:64): avc:  denied  { write } for  pid=20719 comm="rpc.gssd" name="krb5.conf" dev=dm-0 ino=2950802 scontext=root:system_r:gssd_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file
Fail: AVC messages found.
Checking for errors...
Using stronger AVC checks.
	Define empty RHTS_OPTION_STRONGER_AVC parameter if this causes any problems.
Running 'cat /mnt/testarea/tmp.rhts-db-submit-result.8ClEsa | /sbin/ausearch -m AVC -m SELINUX_ERR'
Fail: AVC messages found.
Running 'cat %s | /sbin/ausearch -m USER_AVC >/mnt/testarea/tmp.rhts-db-submit-result.DanBxG 2>&1'
Info: No AVC messages found.
/bin/grep 'avc: ' /mnt/testarea/dmesg.log | /bin/grep --invert-match TESTOUT.log
No AVC messages found in dmesg
Running '/usr/sbin/sestatus'
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 21
Policy from config file:        targeted
Running 'rpm -q selinux-policy || true'
selinux-policy-2.4.6-350.el5


Expected results:
no AVC denial showing up

Additional info:
[root@dell-pesc1425-01 ~]# cat /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = EXAMPLE.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 EXAMPLE.COM = {
  kdc = kerberos.example.com:88
  admin_server = kerberos.example.com:749
  default_domain = example.com
 }

[domain_realm]
 .example.com = EXAMPLE.COM
 example.com = EXAMPLE.COM

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

Comment 2 Milos Malik 2014-08-07 17:07:13 UTC
The /etc/krb5.conf file is mislabeled. Please run following command:

# restorecon -Rv /etc

Comment 3 Xiyang Dong 2014-08-07 17:12:04 UTC
[root@dell-pesc1425-01 ~]# restorecon -Rv /etc
restorecon reset /etc/sysconfig/mkinitrd/multipath context system_u:object_r:file_t:s0->system_u:object_r:etc_t:s0
restorecon reset /etc/sysconfig/firstboot context system_u:object_r:etc_t:s0->system_u:object_r:etc_runtime_t:s0
restorecon reset /etc/inittab context system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0
restorecon reset /etc/resolv.conf.ipabackup context root:object_r:etc_t:s0->system_u:object_r:net_conf_t:s0
restorecon reset /etc/resolv.conf.10.16.101.41 context root:object_r:etc_t:s0->system_u:object_r:net_conf_t:s0
restorecon reset /etc/modprobe.d/anaconda.conf context system_u:object_r:file_t:s0->system_u:object_r:etc_t:s0

Comment 4 Milos Malik 2014-08-07 17:13:36 UTC
Does rpc.gssd need to write to /etc/krb5.conf ?

Why is the bug reported against RHEL-7, when you mention RHEL-5 packages in the description?

this happens in rhel7.0 but not in rhel6.6

Comment 7 Chris Williams 2017-04-18 21:54:33 UTC
Red Hat Enterprise Linux 5 shipped it's last minor release, 5.11, on September 14th, 2014. On March 31st, 2017 RHEL 5 exited Production Phase 3 and entered Extended Life Phase. For RHEL releases in the Extended Life Phase, Red Hat  will provide limited ongoing technical support. No bug fixes, security fixes, hardware enablement or root-cause analysis will be available during this phase, and support will be provided on existing installations only.  If the customer purchases the Extended Life-cycle Support (ELS), certain critical-impact security fixes and selected urgent priority bug fixes for the last minor release will be provided.  For more details please consult the Red Hat Enterprise Linux Life Cycle Page:
https://access.redhat.com/support/policy/updates/errata

This BZ does not appear to meet ELS criteria so is being closed WONTFIX. If this BZ is critical for your environment and you have an Extended Life-cycle Support Add-on entitlement, please open a case in the Red Hat Customer Portal, https://access.redhat.com ,provide a thorough business justification and ask that the BZ be re-opened for consideration of an errata. Please note, only certain critical-impact security fixes and selected urgent priority bug fixes for the last minor release can be considered.


Note You need to log in before you can comment on or make changes to this bug.