Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1438036

Summary: rpc.gssd fails to call into gssproxy
Product: Red Hat Enterprise Linux 7 Reporter: Simo Sorce <ssorce>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact:
Priority: unspecified    
Version: 7.4CC: bcodding, bfields, chunwang, dominick.grift, dwalsh, extras-qa, jiyin, jlayton, lvrabec, mgrepl, mmalik, plautrba, pmoore, pvrabec, rharwood, riehecky, rob.verduijn, smayhew, ssekidde, ssorce, steved, yoyang
Target Milestone: rcKeywords: Regression
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-137 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1430963 Environment:
Last Closed: 2017-08-01 15:24:23 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1430963    
Bug Blocks:    
Attachments:
Description Flags
gssproxy avcs none

Description Simo Sorce 2017-03-31 17:00:23 UTC 
+++ This bug was initially created as a clone of Bug #1430963 +++

gssproxy checks the contents of the GSS_USE_PROXY envvar in order to determine whether it should be used.  rpc.gssd is causing secure_getenv() to return NULL on this variable, which breaks gssproxy.

--- Additional comment from Robbie Harwood on 2017-03-09 20:17:41 EST ---

Attached is a Vagrantfile helpfully provided by the original reporter on the gssproxy mailing list.  To see the problem, break on gss_mech_interposer() and observe the return value from gp_getenv() (which wraps secure_getenv()).

--- Additional comment from Simo Sorce on 2017-03-31 12:59:20 EDT ---

Ok apparently this turns out to be a similar problem to https://bugzilla.redhat.com/show_bug.cgi?id=1174915
So reassigning to SELinuc Policy
Comment 3 Lukas Vrabec 2017-04-03 08:07:17 UTC 
Simo, 
Do you have any AVCS related to this issue?
Comment 4 Milos Malik 2017-04-03 11:34:30 UTC 
# ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today
Comment 5 Simo Sorce 2017-04-03 12:51:28 UTC 
Robbie reproduced the issue, turning to him.
Comment 6 Simo Sorce 2017-04-03 13:26:37 UTC 
Btw are we really expcting an AVC ?
The way I understand this issue is that SeLinux sets AT_SECURE on the process at startup, and glibc, much later simply fails secure_getenv() when it see AT_SECURE set.
Do you really expect to find AVCs ? Does glibc issue audit logs when secure_getenv() is invoked ?
Comment 7 Milos Malik 2017-04-03 13:58:15 UTC 
# seinfo -cprocess -x | grep secure
      noatsecure
#

If you want to see { noatsecure } AVCs, which are usually hidden, you need to disable dontaudit rules via:

# semodule -DB
Comment 8 Robbie Harwood 2017-04-03 16:29:25 UTC 
(In reply to Milos Malik from comment #4)
> # ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today

type=AVC msg=audit(04/03/2017 16:27:49.203:1094) : avc:  denied  { noatsecure } for  pid=8377 comm=mount scontext=system_u:system_r:automount_t:s0 tcontext=system_u:system_r:mount_t:s0 tclass=process permissive=0 

This looks relevant (showed after running `semodule -DB`).
Comment 9 Simo Sorce 2017-04-03 16:55:56 UTC 
Not sure it is, this sounds like autofs simply calling a mount command, not related to the gss_t context which is the one affected by this bug.
Comment 10 Robbie Harwood 2017-04-03 17:01:28 UTC 
You're right, I grabbed the wrong one.  Here are all of them:

type=AVC msg=audit(04/03/2017 17:00:27.684:1174) : avc:  denied  { rlimitinh } for  pid=8643 comm=nfs-utils_env.s scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=0 
----
type=AVC msg=audit(04/03/2017 17:00:27.684:1175) : avc:  denied  { siginh } for  pid=8643 comm=nfs-utils_env.s scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=0 
----
type=AVC msg=audit(04/03/2017 17:00:27.684:1176) : avc:  denied  { noatsecure } for  pid=8643 comm=nfs-utils_env.s scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=0 
----
type=AVC msg=audit(04/03/2017 17:00:27.684:1177) : avc:  denied  { read write } for  pid=1 comm=systemd path=socket:[463910] dev="sockfs" ino=463910 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket permissive=0 
----
type=AVC msg=audit(04/03/2017 17:00:27.689:1180) : avc:  denied  { rlimitinh } for  pid=8646 comm=rpc.gssd scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:gssd_t:s0 tclass=process permissive=0 
----
type=AVC msg=audit(04/03/2017 17:00:27.689:1181) : avc:  denied  { read write } for  pid=1 comm=systemd path=socket:[463438] dev="sockfs" ino=463438 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket permissive=0 
----
type=AVC msg=audit(04/03/2017 17:00:27.689:1182) : avc:  denied  { noatsecure } for  pid=8646 comm=rpc.gssd scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:gssd_t:s0 tclass=process permissive=0 

These happen when rpc-gssd is restarted.  (The one earlier for mount happens when I actually try to access the directory in the reproducer.)
Comment 11 Robbie Harwood 2017-04-03 18:35:11 UTC 
With gssd_t, gssproxy_t, and init_t added to permissive, the attached are generated on gssproxy restart.

No messages seem to be triggered on rpc-gssd restart or on the original reproducer.
Comment 12 Robbie Harwood 2017-04-03 18:35:43 UTC 
Created attachment 1268456 [details]
gssproxy avcs
Comment 13 Simo Sorce 2017-04-03 18:40:17 UTC 
Thanks Robbie,
Lukas, I think the policy needs to enable all of these.
Comment 15 Simo Sorce 2017-04-04 13:46:57 UTC 
Lukas, can we get this in Fedora too so we can test more easily on our side that the policy indeed covers all the cases now ?
Comment 19 errata-xmlrpc 2017-08-01 15:24:23 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1861