With a fresh install of F25, gssproxy & rpc.gssd doesn't work properly due to SELinux denials. In this case, rpc.gssd is being run from systemd with Type=simple and ExecStart=/usr/sbin/rpc.gssd -fv (in the foreground) due to #1264556. This change at least allows rpc.gssd to run for NFS/KRB mount /home. AVC avc: denied { net_admin } for pid=819 comm="gssproxy" capability=12 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 tclass=capability permissive=1 AVC avc: denied { write } for pid=819 comm="gssproxy" name="system_bus_socket" dev="tmpfs" ino=17992 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1 AVC avc: denied { net_admin } for pid=852 comm="gssproxy" capability=12 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 tclass=capability permissive=1 AVC avc: denied { write } for pid=852 comm="gssproxy" name="system_bus_socket" dev="tmpfs" ino=17758 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1 AVC avc: denied { net_admin } for pid=817 comm="gssproxy" capability=12 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 tclass=capability permissive=1 AVC avc: denied { write } for pid=817 comm="gssproxy" name="system_bus_socket" dev="tmpfs" ino=13270 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1 AVC avc: denied { net_admin } for pid=817 comm="gssproxy" capability=12 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 tclass=capability permissive=1 AVC avc: denied { write } for pid=817 comm="gssproxy" name="system_bus_socket" dev="tmpfs" ino=13270 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1 AVC avc: denied { write } for pid=817 comm="gssproxy" name="system_bus_socket" dev="tmpfs" ino=13270 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1 AVC avc: denied { net_admin } for pid=817 comm="gssproxy" capability=12 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 tclass=capability permissive=1 AVC avc: denied { net_admin } for pid=821 comm="gssproxy" capability=12 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 tclass=capability permissive=1 AVC avc: denied { write } for pid=821 comm="gssproxy" name="system_bus_socket" dev="tmpfs" ino=18082 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1 AVC avc: denied { write } for pid=1109 comm="rpc.gssd" name="system_bus_socket" dev="tmpfs" ino=17992 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1 AVC avc: denied { write } for pid=1442 comm="rpc.gssd" name="system_bus_socket" dev="tmpfs" ino=17992 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1 AVC avc: denied { write } for pid=1055 comm="rpc.gssd" name="system_bus_socket" dev="tmpfs" ino=17758 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1 AVC avc: denied { write } for pid=1400 comm="rpc.gssd" name="system_bus_socket" dev="tmpfs" ino=17758 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1 AVC avc: denied { write } for pid=1102 comm="rpc.gssd" name="system_bus_socket" dev="tmpfs" ino=13270 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1 AVC avc: denied { write } for pid=1173 comm="rpc.gssd" name="system_bus_socket" dev="tmpfs" ino=13270 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1 AVC avc: denied { write } for pid=1394 comm="rpc.gssd" name="system_bus_socket" dev="tmpfs" ino=13270 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1 AVC avc: denied { write } for pid=1041 comm="rpc.gssd" name="system_bus_socket" dev="tmpfs" ino=18082 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1 AVC avc: denied { write } for pid=1059 comm="rpc.gssd" name="system_bus_socket" dev="tmpfs" ino=18082 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1 ~]# cat fixgssproxy.te module fixgssproxy 1.0; require { type system_dbusd_var_run_t; type systemd_resolved_t; type system_dbusd_t; type gssproxy_t; class capability net_admin; class dbus send_msg; class sock_file write; } #============= gssproxy_t ============== allow gssproxy_t self:capability net_admin; allow gssproxy_t system_dbusd_t:dbus send_msg; allow gssproxy_t system_dbusd_var_run_t:sock_file write; allow gssproxy_t systemd_resolved_t:dbus send_msg; #============= systemd_resolved_t ============== allow systemd_resolved_t gssproxy_t:dbus send_msg; ~]# cat fixrpcgssd.te module fixrpcgssd 1.0; require { type system_dbusd_var_run_t; type gssd_t; class sock_file write; } #============= gssd_t ============== allow gssd_t system_dbusd_var_run_t:sock_file write;
I would check if this would run without the net_admin. You probably do not need to give this access. dontaudit gssproxy_t self:capability net_admin;
(In reply to Daniel Walsh from comment #1) > I would check if this would run without the net_admin. You probably do not > need to give this access. > > dontaudit gssproxy_t self:capability net_admin; Thanks Dan. Upstream gssproxy also states they don't need cap_net_admin. In enforcing mode, I don't get the gssproxy AVC and things work: AVC avc: denied { net_admin } for pid=819 comm="gssproxy" capability=12 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 tclass=capability However, I still do get the rpc.gssd AVCs related to /run/dbus/system_bus_socket AVC avc: denied { write } for pid=1964 comm="rpc.gssd" name="system_bus_socket" dev="tmpfs" ino=18837 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=0
Yes this looks like gssd is sending a dbus message to someone. Should be allowed.
With recent updates that removed the need to run rpc.gssd in the foreground, I no longer see these issues.