Bug 1398857 - gssproxy/rpc.gssd/dbus SELinux denials
gssproxy/rpc.gssd/dbus SELinux denials
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
25
Unspecified Linux
unspecified Severity unspecified
: ---
: ---
Assigned To: Lukas Vrabec
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-11-26 12:05 EST by Anthony Messina
Modified: 2017-01-14 13:36 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-01-14 13:36:12 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Anthony Messina 2016-11-26 12:05:52 EST
With a fresh install of F25, gssproxy & rpc.gssd doesn't work properly due to SELinux denials.  In this case, rpc.gssd is being run from systemd with Type=simple and ExecStart=/usr/sbin/rpc.gssd -fv (in the foreground) due to #1264556.  This change at least allows rpc.gssd to run for NFS/KRB mount /home.


AVC avc:  denied  { net_admin } for  pid=819 comm="gssproxy" capability=12  scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 tclass=capability permissive=1
AVC avc:  denied  { write } for  pid=819 comm="gssproxy" name="system_bus_socket" dev="tmpfs" ino=17992 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1
AVC avc:  denied  { net_admin } for  pid=852 comm="gssproxy" capability=12  scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 tclass=capability permissive=1
AVC avc:  denied  { write } for  pid=852 comm="gssproxy" name="system_bus_socket" dev="tmpfs" ino=17758 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1
AVC avc:  denied  { net_admin } for  pid=817 comm="gssproxy" capability=12  scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 tclass=capability permissive=1
AVC avc:  denied  { write } for  pid=817 comm="gssproxy" name="system_bus_socket" dev="tmpfs" ino=13270 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1
AVC avc:  denied  { net_admin } for  pid=817 comm="gssproxy" capability=12  scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 tclass=capability permissive=1
AVC avc:  denied  { write } for  pid=817 comm="gssproxy" name="system_bus_socket" dev="tmpfs" ino=13270 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1
AVC avc:  denied  { write } for  pid=817 comm="gssproxy" name="system_bus_socket" dev="tmpfs" ino=13270 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1
AVC avc:  denied  { net_admin } for  pid=817 comm="gssproxy" capability=12  scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 tclass=capability permissive=1
AVC avc:  denied  { net_admin } for  pid=821 comm="gssproxy" capability=12  scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 tclass=capability permissive=1
AVC avc:  denied  { write } for  pid=821 comm="gssproxy" name="system_bus_socket" dev="tmpfs" ino=18082 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1



AVC avc:  denied  { write } for  pid=1109 comm="rpc.gssd" name="system_bus_socket" dev="tmpfs" ino=17992 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1
AVC avc:  denied  { write } for  pid=1442 comm="rpc.gssd" name="system_bus_socket" dev="tmpfs" ino=17992 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1
AVC avc:  denied  { write } for  pid=1055 comm="rpc.gssd" name="system_bus_socket" dev="tmpfs" ino=17758 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1
AVC avc:  denied  { write } for  pid=1400 comm="rpc.gssd" name="system_bus_socket" dev="tmpfs" ino=17758 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1
AVC avc:  denied  { write } for  pid=1102 comm="rpc.gssd" name="system_bus_socket" dev="tmpfs" ino=13270 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1
AVC avc:  denied  { write } for  pid=1173 comm="rpc.gssd" name="system_bus_socket" dev="tmpfs" ino=13270 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1
AVC avc:  denied  { write } for  pid=1394 comm="rpc.gssd" name="system_bus_socket" dev="tmpfs" ino=13270 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1
AVC avc:  denied  { write } for  pid=1041 comm="rpc.gssd" name="system_bus_socket" dev="tmpfs" ino=18082 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1
AVC avc:  denied  { write } for  pid=1059 comm="rpc.gssd" name="system_bus_socket" dev="tmpfs" ino=18082 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1



~]# cat fixgssproxy.te 

module fixgssproxy 1.0;

require {
        type system_dbusd_var_run_t;
        type systemd_resolved_t;
        type system_dbusd_t;
        type gssproxy_t;
        class capability net_admin;
        class dbus send_msg;
        class sock_file write;
}

#============= gssproxy_t ==============
allow gssproxy_t self:capability net_admin;
allow gssproxy_t system_dbusd_t:dbus send_msg;
allow gssproxy_t system_dbusd_var_run_t:sock_file write;
allow gssproxy_t systemd_resolved_t:dbus send_msg;

#============= systemd_resolved_t ==============
allow systemd_resolved_t gssproxy_t:dbus send_msg;



~]# cat fixrpcgssd.te 

module fixrpcgssd 1.0;

require {
        type system_dbusd_var_run_t;
        type gssd_t;
        class sock_file write;
}

#============= gssd_t ==============
allow gssd_t system_dbusd_var_run_t:sock_file write;
Comment 1 Daniel Walsh 2016-11-28 12:03:18 EST
I would check if this would run without the net_admin.  You probably do not need to give this access.

dontaudit gssproxy_t self:capability net_admin;
Comment 2 Anthony Messina 2016-11-29 15:07:38 EST
(In reply to Daniel Walsh from comment #1)
> I would check if this would run without the net_admin.  You probably do not
> need to give this access.
> 
> dontaudit gssproxy_t self:capability net_admin;

Thanks Dan.  Upstream gssproxy also states they don't need cap_net_admin.

In enforcing mode, I don't get the gssproxy AVC and things work:
AVC avc:  denied  { net_admin } for  pid=819 comm="gssproxy" capability=12  scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 tclass=capability


However, I still do get the rpc.gssd AVCs related to /run/dbus/system_bus_socket

AVC avc:  denied  { write } for  pid=1964 comm="rpc.gssd" name="system_bus_socket" dev="tmpfs" ino=18837 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=0
Comment 3 Daniel Walsh 2016-11-29 15:26:03 EST
Yes this looks like gssd is sending a dbus message to someone. Should be allowed.
Comment 4 Anthony Messina 2017-01-14 13:36:12 EST
With recent updates that removed the need to run rpc.gssd in the foreground, I no longer see these issues.

Note You need to log in before you can comment on or make changes to this bug.