Bug 1398857 - gssproxy/rpc.gssd/dbus SELinux denials
Summary: gssproxy/rpc.gssd/dbus SELinux denials
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted   
(Show other bugs)
Version: 25
Hardware: Unspecified
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Ben Levenson
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-11-26 17:05 UTC by Anthony Messina
Modified: 2017-01-14 18:36 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-01-14 18:36:12 UTC
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Anthony Messina 2016-11-26 17:05:52 UTC
With a fresh install of F25, gssproxy & rpc.gssd doesn't work properly due to SELinux denials.  In this case, rpc.gssd is being run from systemd with Type=simple and ExecStart=/usr/sbin/rpc.gssd -fv (in the foreground) due to #1264556.  This change at least allows rpc.gssd to run for NFS/KRB mount /home.


AVC avc:  denied  { net_admin } for  pid=819 comm="gssproxy" capability=12  scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 tclass=capability permissive=1
AVC avc:  denied  { write } for  pid=819 comm="gssproxy" name="system_bus_socket" dev="tmpfs" ino=17992 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1
AVC avc:  denied  { net_admin } for  pid=852 comm="gssproxy" capability=12  scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 tclass=capability permissive=1
AVC avc:  denied  { write } for  pid=852 comm="gssproxy" name="system_bus_socket" dev="tmpfs" ino=17758 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1
AVC avc:  denied  { net_admin } for  pid=817 comm="gssproxy" capability=12  scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 tclass=capability permissive=1
AVC avc:  denied  { write } for  pid=817 comm="gssproxy" name="system_bus_socket" dev="tmpfs" ino=13270 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1
AVC avc:  denied  { net_admin } for  pid=817 comm="gssproxy" capability=12  scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 tclass=capability permissive=1
AVC avc:  denied  { write } for  pid=817 comm="gssproxy" name="system_bus_socket" dev="tmpfs" ino=13270 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1
AVC avc:  denied  { write } for  pid=817 comm="gssproxy" name="system_bus_socket" dev="tmpfs" ino=13270 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1
AVC avc:  denied  { net_admin } for  pid=817 comm="gssproxy" capability=12  scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 tclass=capability permissive=1
AVC avc:  denied  { net_admin } for  pid=821 comm="gssproxy" capability=12  scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 tclass=capability permissive=1
AVC avc:  denied  { write } for  pid=821 comm="gssproxy" name="system_bus_socket" dev="tmpfs" ino=18082 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1



AVC avc:  denied  { write } for  pid=1109 comm="rpc.gssd" name="system_bus_socket" dev="tmpfs" ino=17992 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1
AVC avc:  denied  { write } for  pid=1442 comm="rpc.gssd" name="system_bus_socket" dev="tmpfs" ino=17992 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1
AVC avc:  denied  { write } for  pid=1055 comm="rpc.gssd" name="system_bus_socket" dev="tmpfs" ino=17758 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1
AVC avc:  denied  { write } for  pid=1400 comm="rpc.gssd" name="system_bus_socket" dev="tmpfs" ino=17758 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1
AVC avc:  denied  { write } for  pid=1102 comm="rpc.gssd" name="system_bus_socket" dev="tmpfs" ino=13270 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1
AVC avc:  denied  { write } for  pid=1173 comm="rpc.gssd" name="system_bus_socket" dev="tmpfs" ino=13270 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1
AVC avc:  denied  { write } for  pid=1394 comm="rpc.gssd" name="system_bus_socket" dev="tmpfs" ino=13270 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1
AVC avc:  denied  { write } for  pid=1041 comm="rpc.gssd" name="system_bus_socket" dev="tmpfs" ino=18082 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1
AVC avc:  denied  { write } for  pid=1059 comm="rpc.gssd" name="system_bus_socket" dev="tmpfs" ino=18082 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1



~]# cat fixgssproxy.te 

module fixgssproxy 1.0;

require {
        type system_dbusd_var_run_t;
        type systemd_resolved_t;
        type system_dbusd_t;
        type gssproxy_t;
        class capability net_admin;
        class dbus send_msg;
        class sock_file write;
}

#============= gssproxy_t ==============
allow gssproxy_t self:capability net_admin;
allow gssproxy_t system_dbusd_t:dbus send_msg;
allow gssproxy_t system_dbusd_var_run_t:sock_file write;
allow gssproxy_t systemd_resolved_t:dbus send_msg;

#============= systemd_resolved_t ==============
allow systemd_resolved_t gssproxy_t:dbus send_msg;



~]# cat fixrpcgssd.te 

module fixrpcgssd 1.0;

require {
        type system_dbusd_var_run_t;
        type gssd_t;
        class sock_file write;
}

#============= gssd_t ==============
allow gssd_t system_dbusd_var_run_t:sock_file write;

Comment 1 Daniel Walsh 2016-11-28 17:03:18 UTC
I would check if this would run without the net_admin.  You probably do not need to give this access.

dontaudit gssproxy_t self:capability net_admin;

Comment 2 Anthony Messina 2016-11-29 20:07:38 UTC
(In reply to Daniel Walsh from comment #1)
> I would check if this would run without the net_admin.  You probably do not
> need to give this access.
> 
> dontaudit gssproxy_t self:capability net_admin;

Thanks Dan.  Upstream gssproxy also states they don't need cap_net_admin.

In enforcing mode, I don't get the gssproxy AVC and things work:
AVC avc:  denied  { net_admin } for  pid=819 comm="gssproxy" capability=12  scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 tclass=capability


However, I still do get the rpc.gssd AVCs related to /run/dbus/system_bus_socket

AVC avc:  denied  { write } for  pid=1964 comm="rpc.gssd" name="system_bus_socket" dev="tmpfs" ino=18837 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=0

Comment 3 Daniel Walsh 2016-11-29 20:26:03 UTC
Yes this looks like gssd is sending a dbus message to someone. Should be allowed.

Comment 4 Anthony Messina 2017-01-14 18:36:12 UTC
With recent updates that removed the need to run rpc.gssd in the foreground, I no longer see these issues.


Note You need to log in before you can comment on or make changes to this bug.