Description of problem: AVC message found on RHEL 5.11 client while trying to mount nfs share. Version-Release number of selected component (if applicable): selinux-policy-2.4.6-351.el5 How reproducible: Steps to Reproduce: 1. Setup a RHEL 5.11 client. 2. Setup RHEL client with SELINUX policy set to "enforcing". 3. Try to mount nfs share. Actual results: AVC messages are observed Expected results: No AVC messages should be observed. Additional info: (This issue was observed while performing regression client test run for 5.11 (ia64) client and 7.2 IPA server.) 1. Checking for errors... Using stronger AVC checks. Define empty RHTS_OPTION_STRONGER_AVC parameter if this causes any problems. Running 'cat /mnt/testarea/tmp.rhts-db-submit-result.Lxr-Yt | /sbin/ausearch -m AVC -m SELINUX_ERR' Fail: AVC messages found. Running 'cat %s | /sbin/ausearch -m USER_AVC >/mnt/testarea/tmp.rhts-db-submit-result.EobPCw 2>&1' Info: No AVC messages found. /bin/grep 'avc: ' /mnt/testarea/dmesg.log | /bin/grep --invert-match TESTOUT.log No AVC messages found in dmesg Running '/usr/sbin/sestatus' SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 21 Policy from config file: targeted Running 'rpm -q selinux-policy || true' selinux-policy-2.4.6-351.el5 2. Following error message is received on the client machine: time->Fri Oct 23 02:06:51 2015 type=SYSCALL msg=audit(1445580411.523:62): arch=c0000032 syscall=1049 success=no exit=-13 a0=20000008006f8290 a1=2 a2=20000008002420b0 a3=c000000000000691 items=0 ppid=1 pid=17433 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.gssd" exe="/usr/sbin/rpc.gssd" subj=root:system_r:gssd_t:s0 key=(null) type=AVC msg=audit(1445580411.523:62): avc: denied { write } for pid=17433 comm="rpc.gssd" name="krb5.conf" dev=sda2 ino=3081860 scontext=root:system_r:gssd_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file Fail: AVC messages found. Checking for errors... Using stronger AVC checks. Define empty RHTS_OPTION_STRONGER_AVC parameter if this causes any problems. Running 'cat /mnt/testarea/tmp.rhts-db-submit-result.Lxr-Yt | /sbin/ausearch -m AVC -m SELINUX_ERR' Fail: AVC messages found. Running 'cat %s | /sbin/ausearch -m USER_AVC >/mnt/testarea/tmp.rhts-db-submit-result.EobPCw 2>&1' Info: No AVC messages found.
Does restorecon -v PATHTO/krb5.conf fix this problem?
Red Hat Enterprise Linux 5 shipped it's last minor release, 5.11, on September 14th, 2014. On March 31st, 2017 RHEL 5 exited Production Phase 3 and entered Extended Life Phase. For RHEL releases in the Extended Life Phase, Red Hat will provide limited ongoing technical support. No bug fixes, security fixes, hardware enablement or root-cause analysis will be available during this phase, and support will be provided on existing installations only. If the customer purchases the Extended Life-cycle Support (ELS), certain critical-impact security fixes and selected urgent priority bug fixes for the last minor release will be provided. For more details please consult the Red Hat Enterprise Linux Life Cycle Page: https://access.redhat.com/support/policy/updates/errata This BZ does not appear to meet ELS criteria so is being closed WONTFIX. If this BZ is critical for your environment and you have an Extended Life-cycle Support Add-on entitlement, please open a case in the Red Hat Customer Portal, https://access.redhat.com ,provide a thorough business justification and ask that the BZ be re-opened for consideration of an errata. Please note, only certain critical-impact security fixes and selected urgent priority bug fixes for the last minor release can be considered.