Description of problem: AVC denial in rpc.gssd Version-Release number of selected component (if applicable): this happens in rhel7.0 but not in rhel6.6 selinux-policy-2.4.6-350.el5 sssd-1.5.1-71.el5 nfs-utils-1.0.9-71.el5 How reproducible: Always Steps to Reproduce: test case I ran: rlPhaseStartTest "ipa-client-cert-client-008:ipa client NFS4 Kerberized mount" rlRun "kinitAs $ADMINID $ADMINPW" 0 "Kinit as admin user" client_version=`cat /etc/redhat-release |cut -d " " -f7` #If IPA Client is in pre-rhel6,then add allow_weak_crypto = true to all servers/clients,then restart sssd service if [ $(echo $client_version|grep "5\.[0-15]"|wc -l) -gt 0 ] || [ $(echo $client_version|grep "6\.[0-15]"|wc -l) -gt 0 ];then rlRun "sed -i 's/\[libdefaults\]/[libdefaults]\n allow_weak_crypto = true/' /etc/krb5.conf" 0 "add allow_weak_crypto = true to /etc/krb5.conf" rlRun "service sssd restart" 0 "restart sssd status" fi #If IPA Client is pre-rhel7, download IPA Client NFS service keytab if [ $(echo $client_version|grep "5\.[0-15]"|wc -l) -gt 0 ] || [ $(echo $client_version|grep "6\.[0-15]"|wc -l) -gt 0 ];then rlRun "ipa-getkeytab -k /etc/krb5.keytab -s $MASTER -p nfs/$CLIENT" 0 "download IPA client NFS service keytab" fi rlRun "echo 'SECURE_NFS=\"yes\"' >> /etc/sysconfig/nfs" 0 "configure NFS service to use kerberos server as authentication server" rlRun "service rpcgssd restart;service rpcidmapd restart" 0 "restart NFS client services" #If IPA Client is pre-rhel7,restart portmap, if IPA client is rhel7 or later, restart rpcbind if [ $(echo $client_version|grep "5\.[0-15]"|wc -l) -gt 0 ] || [ $(echo $client_version|grep "6\.[0-15]"|wc -l) -gt 0 ];then rlRun "service portmap restart" 0 "restart portmap" else rlRun "service rpcbind restart" 0 "restart rpcbind" fi rlRun "mkdir /nfsdir" 0 "creat mount point dir" rlRun "mount -o sec=krb5p -t nfs4 $MASTER:/export /nfsdir" 0 "mount export dir" rlRun "mount -s|grep nfsdir" 0 "verify that export dir is mounted on client successfully" kdestroy rlPhaseEnd Actual results: Info: Searching AVC errors produced since 1407357255 (Wed Aug 6 16:34:15 2014) Searching logs... Running '/usr/bin/env LC_ALL=en_US.UTF-8 /sbin/ausearch -m AVC -m USER_AVC -m SELINUX_ERR -ts 08/06/2014 16:34:15 < /dev/null >/mnt/testarea/tmp.rhts-db-submit-result.8ClEsa 2>&1' ---- time->Wed Aug 6 16:35:06 2014 type=SYSCALL msg=audit(1407357306.502:51): arch=c000003e syscall=21 success=no exit=-13 a0=3ae3250 a1=2 a2=2abb78635ba0 a3=0 items=0 ppid=20584 pid=20585 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sssd_be" exe="/usr/libexec/sssd/sssd_be" subj=root:system_r:sssd_t:s0 key=(null) type=AVC msg=audit(1407357306.502:51): avc: denied { write } for pid=20585 comm="sssd_be" name="krb5.conf" dev=dm-0 ino=2950802 scontext=root:system_r:sssd_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file ---- time->Wed Aug 6 16:35:07 2014 type=SYSCALL msg=audit(1407357307.704:52): arch=c000003e syscall=21 success=no exit=-13 a0=2adb38cdd630 a1=2 a2=d a3=0 items=0 ppid=20718 pid=20719 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.gssd" exe="/usr/sbin/rpc.gssd" subj=root:system_r:gssd_t:s0 key=(null) type=AVC msg=audit(1407357307.704:52): avc: denied { write } for pid=20719 comm="rpc.gssd" name="krb5.conf" dev=dm-0 ino=2950802 scontext=root:system_r:gssd_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file ---- time->Wed Aug 6 16:35:08 2014 type=SYSCALL msg=audit(1407357308.762:53): arch=c000003e syscall=21 success=no exit=-13 a0=2adb38ce2350 a1=2 a2=2adb1ae6dba0 a3=65726373662f7274 items=0 ppid=1 pid=20719 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.gssd" exe="/usr/sbin/rpc.gssd" subj=root:system_r:gssd_t:s0 key=(null) type=AVC msg=audit(1407357308.762:53): avc: denied { write } for pid=20719 comm="rpc.gssd" name="krb5.conf" dev=dm-0 ino=2950802 scontext=root:system_r:gssd_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file ---- time->Wed Aug 6 16:35:08 2014 type=SYSCALL msg=audit(1407357308.763:54): arch=c000003e syscall=21 success=no exit=-13 a0=2adb38ce2350 a1=2 a2=2adb1ae6dba0 a3=65726373662f7274 items=0 ppid=1 pid=20719 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.gssd" exe="/usr/sbin/rpc.gssd" subj=root:system_r:gssd_t:s0 key=(null) type=AVC msg=audit(1407357308.763:54): avc: denied { write } for pid=20719 comm="rpc.gssd" name="krb5.conf" dev=dm-0 ino=2950802 scontext=root:system_r:gssd_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file ---- time->Wed Aug 6 16:35:08 2014 type=SYSCALL msg=audit(1407357308.764:55): arch=c000003e syscall=21 success=no exit=-13 a0=2adb38ce2350 a1=2 a2=2adb1ae6dba0 a3=65726373662f7274 items=0 ppid=1 pid=20719 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.gssd" exe="/usr/sbin/rpc.gssd" subj=root:system_r:gssd_t:s0 key=(null) type=AVC msg=audit(1407357308.764:55): avc: denied { write } for pid=20719 comm="rpc.gssd" name="krb5.conf" dev=dm-0 ino=2950802 scontext=root:system_r:gssd_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file ---- time->Wed Aug 6 16:35:08 2014 type=SYSCALL msg=audit(1407357308.765:56): arch=c000003e syscall=21 success=no exit=-13 a0=2adb38ce0e80 a1=2 a2=2adb1ae6dba0 a3=65726373662f7274 items=0 ppid=1 pid=20719 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.gssd" exe="/usr/sbin/rpc.gssd" subj=root:system_r:gssd_t:s0 key=(null) type=AVC msg=audit(1407357308.765:56): avc: denied { write } for pid=20719 comm="rpc.gssd" name="krb5.conf" dev=dm-0 ino=2950802 scontext=root:system_r:gssd_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file ---- time->Wed Aug 6 16:35:08 2014 type=SYSCALL msg=audit(1407357308.765:57): arch=c000003e syscall=21 success=no exit=-13 a0=2adb38ce4100 a1=2 a2=2adb1ae6dba0 a3=65726373662f7274 items=0 ppid=1 pid=20719 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.gssd" exe="/usr/sbin/rpc.gssd" subj=root:system_r:gssd_t:s0 key=(null) type=AVC msg=audit(1407357308.765:57): avc: denied { write } for pid=20719 comm="rpc.gssd" name="krb5.conf" dev=dm-0 ino=2950802 scontext=root:system_r:gssd_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file ---- time->Wed Aug 6 16:35:08 2014 type=SYSCALL msg=audit(1407357308.766:58): arch=c000003e syscall=21 success=no exit=-13 a0=2adb38ce4140 a1=2 a2=2adb1ae6dba0 a3=65726373662f7274 items=0 ppid=1 pid=20719 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.gssd" exe="/usr/sbin/rpc.gssd" subj=root:system_r:gssd_t:s0 key=(null) type=AVC msg=audit(1407357308.766:58): avc: denied { write } for pid=20719 comm="rpc.gssd" name="krb5.conf" dev=dm-0 ino=2950802 scontext=root:system_r:gssd_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file ---- time->Wed Aug 6 16:35:08 2014 type=SYSCALL msg=audit(1407357308.766:59): arch=c000003e syscall=21 success=no exit=-13 a0=2adb38ce44c0 a1=2 a2=2adb1ae6dba0 a3=65726373662f7274 items=0 ppid=1 pid=20719 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.gssd" exe="/usr/sbin/rpc.gssd" subj=root:system_r:gssd_t:s0 key=(null) type=AVC msg=audit(1407357308.766:59): avc: denied { write } for pid=20719 comm="rpc.gssd" name="krb5.conf" dev=dm-0 ino=2950802 scontext=root:system_r:gssd_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file ---- time->Wed Aug 6 16:35:08 2014 type=SYSCALL msg=audit(1407357308.766:60): arch=c000003e syscall=21 success=no exit=-13 a0=2adb38ce44c0 a1=2 a2=2adb1ae6dba0 a3=65726373662f7274 items=0 ppid=1 pid=20719 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.gssd" exe="/usr/sbin/rpc.gssd" subj=root:system_r:gssd_t:s0 key=(null) type=AVC msg=audit(1407357308.766:60): avc: denied { write } for pid=20719 comm="rpc.gssd" name="krb5.conf" dev=dm-0 ino=2950802 scontext=root:system_r:gssd_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file ---- time->Wed Aug 6 16:35:08 2014 type=SYSCALL msg=audit(1407357308.767:61): arch=c000003e syscall=21 success=no exit=-13 a0=2adb38ce44c0 a1=2 a2=2adb1ae6dba0 a3=65726373662f7274 items=0 ppid=1 pid=20719 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.gssd" exe="/usr/sbin/rpc.gssd" subj=root:system_r:gssd_t:s0 key=(null) type=AVC msg=audit(1407357308.767:61): avc: denied { write } for pid=20719 comm="rpc.gssd" name="krb5.conf" dev=dm-0 ino=2950802 scontext=root:system_r:gssd_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file ---- time->Wed Aug 6 16:35:08 2014 type=SYSCALL msg=audit(1407357308.767:62): arch=c000003e syscall=21 success=no exit=-13 a0=2adb38ce0ef0 a1=2 a2=2adb1ae6dba0 a3=65726373662f7274 items=0 ppid=1 pid=20719 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.gssd" exe="/usr/sbin/rpc.gssd" subj=root:system_r:gssd_t:s0 key=(null) type=AVC msg=audit(1407357308.767:62): avc: denied { write } for pid=20719 comm="rpc.gssd" name="krb5.conf" dev=dm-0 ino=2950802 scontext=root:system_r:gssd_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file ---- time->Wed Aug 6 16:35:08 2014 type=SYSCALL msg=audit(1407357308.774:63): arch=c000003e syscall=21 success=no exit=-13 a0=2adb38ce0ef0 a1=2 a2=2adb1ae6dba0 a3=65726373662f7274 items=0 ppid=1 pid=20719 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.gssd" exe="/usr/sbin/rpc.gssd" subj=root:system_r:gssd_t:s0 key=(null) type=AVC msg=audit(1407357308.774:63): avc: denied { write } for pid=20719 comm="rpc.gssd" name="krb5.conf" dev=dm-0 ino=2950802 scontext=root:system_r:gssd_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file ---- time->Wed Aug 6 16:35:08 2014 type=SYSCALL msg=audit(1407357308.775:64): arch=c000003e syscall=21 success=no exit=-13 a0=2adb38ce0ef0 a1=2 a2=2adb1ae6dba0 a3=65726373662f7274 items=0 ppid=1 pid=20719 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.gssd" exe="/usr/sbin/rpc.gssd" subj=root:system_r:gssd_t:s0 key=(null) type=AVC msg=audit(1407357308.775:64): avc: denied { write } for pid=20719 comm="rpc.gssd" name="krb5.conf" dev=dm-0 ino=2950802 scontext=root:system_r:gssd_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file Fail: AVC messages found. Checking for errors... Using stronger AVC checks. Define empty RHTS_OPTION_STRONGER_AVC parameter if this causes any problems. Running 'cat /mnt/testarea/tmp.rhts-db-submit-result.8ClEsa | /sbin/ausearch -m AVC -m SELINUX_ERR' Fail: AVC messages found. Running 'cat %s | /sbin/ausearch -m USER_AVC >/mnt/testarea/tmp.rhts-db-submit-result.DanBxG 2>&1' Info: No AVC messages found. /bin/grep 'avc: ' /mnt/testarea/dmesg.log | /bin/grep --invert-match TESTOUT.log No AVC messages found in dmesg Running '/usr/sbin/sestatus' SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 21 Policy from config file: targeted Running 'rpm -q selinux-policy || true' selinux-policy-2.4.6-350.el5 Expected results: no AVC denial showing up Additional info: [root@dell-pesc1425-01 ~]# cat /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes [realms] EXAMPLE.COM = { kdc = kerberos.example.com:88 admin_server = kerberos.example.com:749 default_domain = example.com } [domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }
The /etc/krb5.conf file is mislabeled. Please run following command: # restorecon -Rv /etc
[root@dell-pesc1425-01 ~]# restorecon -Rv /etc restorecon reset /etc/sysconfig/mkinitrd/multipath context system_u:object_r:file_t:s0->system_u:object_r:etc_t:s0 restorecon reset /etc/sysconfig/firstboot context system_u:object_r:etc_t:s0->system_u:object_r:etc_runtime_t:s0 restorecon reset /etc/inittab context system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0 restorecon reset /etc/resolv.conf.ipabackup context root:object_r:etc_t:s0->system_u:object_r:net_conf_t:s0 restorecon reset /etc/resolv.conf.10.16.101.41 context root:object_r:etc_t:s0->system_u:object_r:net_conf_t:s0 restorecon reset /etc/modprobe.d/anaconda.conf context system_u:object_r:file_t:s0->system_u:object_r:etc_t:s0
Does rpc.gssd need to write to /etc/krb5.conf ? Why is the bug reported against RHEL-7, when you mention RHEL-5 packages in the description? this happens in rhel7.0 but not in rhel6.6
Red Hat Enterprise Linux 5 shipped it's last minor release, 5.11, on September 14th, 2014. On March 31st, 2017 RHEL 5 exited Production Phase 3 and entered Extended Life Phase. For RHEL releases in the Extended Life Phase, Red Hat will provide limited ongoing technical support. No bug fixes, security fixes, hardware enablement or root-cause analysis will be available during this phase, and support will be provided on existing installations only. If the customer purchases the Extended Life-cycle Support (ELS), certain critical-impact security fixes and selected urgent priority bug fixes for the last minor release will be provided. For more details please consult the Red Hat Enterprise Linux Life Cycle Page: https://access.redhat.com/support/policy/updates/errata This BZ does not appear to meet ELS criteria so is being closed WONTFIX. If this BZ is critical for your environment and you have an Extended Life-cycle Support Add-on entitlement, please open a case in the Red Hat Customer Portal, https://access.redhat.com ,provide a thorough business justification and ask that the BZ be re-opened for consideration of an errata. Please note, only certain critical-impact security fixes and selected urgent priority bug fixes for the last minor release can be considered.