Bug 1274733 - AVC message observed when trying to mount nfs share on RHEL 5.11.
AVC message observed when trying to mount nfs share on RHEL 5.11.
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.11
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Miroslav Grepl
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-10-23 09:14 EDT by Nikhil Dehadrai
Modified: 2017-04-18 18:00 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-04-18 18:00:26 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Nikhil Dehadrai 2015-10-23 09:14:50 EDT
Description of problem:
AVC message found on RHEL 5.11 client while trying to mount nfs share.

Version-Release number of selected component (if applicable):
selinux-policy-2.4.6-351.el5

How reproducible:

Steps to Reproduce:
1. Setup a RHEL 5.11 client.
2. Setup RHEL client with SELINUX policy set to "enforcing".
3. Try to mount nfs share.

Actual results:
AVC messages are observed

Expected results:
No AVC messages should be observed.

Additional info:
(This issue was observed while performing regression client test run for 5.11 (ia64) client and 7.2 IPA server.) 

1. 
Checking for errors...
Using stronger AVC checks.
	Define empty RHTS_OPTION_STRONGER_AVC parameter if this causes any problems.
Running 'cat /mnt/testarea/tmp.rhts-db-submit-result.Lxr-Yt | /sbin/ausearch -m AVC -m SELINUX_ERR'
Fail: AVC messages found.
Running 'cat %s | /sbin/ausearch -m USER_AVC >/mnt/testarea/tmp.rhts-db-submit-result.EobPCw 2>&1'
Info: No AVC messages found.
/bin/grep 'avc: ' /mnt/testarea/dmesg.log | /bin/grep --invert-match TESTOUT.log
No AVC messages found in dmesg
Running '/usr/sbin/sestatus'
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 21
Policy from config file:        targeted
Running 'rpm -q selinux-policy || true'
selinux-policy-2.4.6-351.el5

2.
Following error message is received on the client machine: 
time->Fri Oct 23 02:06:51 2015
type=SYSCALL msg=audit(1445580411.523:62): arch=c0000032 syscall=1049 success=no exit=-13 a0=20000008006f8290 a1=2 a2=20000008002420b0 a3=c000000000000691 items=0 ppid=1 pid=17433 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.gssd" exe="/usr/sbin/rpc.gssd" subj=root:system_r:gssd_t:s0 key=(null)
type=AVC msg=audit(1445580411.523:62): avc:  denied  { write } for  pid=17433 comm="rpc.gssd" name="krb5.conf" dev=sda2 ino=3081860 scontext=root:system_r:gssd_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file
Fail: AVC messages found.
Checking for errors...
Using stronger AVC checks.
	Define empty RHTS_OPTION_STRONGER_AVC parameter if this causes any problems.
Running 'cat /mnt/testarea/tmp.rhts-db-submit-result.Lxr-Yt | /sbin/ausearch -m AVC -m SELINUX_ERR'
Fail: AVC messages found.
Running 'cat %s | /sbin/ausearch -m USER_AVC >/mnt/testarea/tmp.rhts-db-submit-result.EobPCw 2>&1'
Info: No AVC messages found.
Comment 1 Miroslav Grepl 2015-11-02 02:32:09 EST
Does

restorecon -v PATHTO/krb5.conf

fix this problem?
Comment 3 Chris Williams 2017-04-18 18:00:26 EDT
Red Hat Enterprise Linux 5 shipped it's last minor release, 5.11, on September 14th, 2014. On March 31st, 2017 RHEL 5 exited Production Phase 3 and entered Extended Life Phase. For RHEL releases in the Extended Life Phase, Red Hat  will provide limited ongoing technical support. No bug fixes, security fixes, hardware enablement or root-cause analysis will be available during this phase, and support will be provided on existing installations only.  If the customer purchases the Extended Life-cycle Support (ELS), certain critical-impact security fixes and selected urgent priority bug fixes for the last minor release will be provided.  For more details please consult the Red Hat Enterprise Linux Life Cycle Page:
https://access.redhat.com/support/policy/updates/errata

This BZ does not appear to meet ELS criteria so is being closed WONTFIX. If this BZ is critical for your environment and you have an Extended Life-cycle Support Add-on entitlement, please open a case in the Red Hat Customer Portal, https://access.redhat.com ,provide a thorough business justification and ask that the BZ be re-opened for consideration of an errata. Please note, only certain critical-impact security fixes and selected urgent priority bug fixes for the last minor release can be considered.

Note You need to log in before you can comment on or make changes to this bug.