Also, this is with current F27 updates-testing:

selinux-policy-3.13.1-283.14.fc27.noarch
sssd-1.16.0-2.fc27.x86_64
sssd-kcm-1.16.0-2.fc27.x86_64
nfs-utils-2.1.1-6.rc5.fc27.x86_64
gssproxy-0.7.0-12.fc27.x86_64
kernel-4.13.12-300.fc27.x86_64

Looking at the changelog for 283.15, I don't see anything which looks related but I will certainly try it out when it hits the repos.

I cannot see a problem why it should not be allowed.

Jasson,
is that only AVC which you can see in permissive mode?

if yes; then you can use custom policy for now.

sh# echo "(allow gssd_t sssd_var_run_t (sock_file (write)))" > /tmp/gssd-kcm.cil 
sh# semodule -i /tmp/gssd-kcm.cil
sh# rm -f /tmp/gssd-kcm.cil

Lukas,

I think we might introduce new macro to make it more clear what is a purpose.
because following line does not look nice to me:
   sssd_run_stream_connect(gssd_t)

maybe can_use_kerberos_kcm(gssd_t) ?

That is indeed the only AVC that is seen in permissive mode.  So far I've just been using the result of audit2allow:

allow gssd_t sssd_var_run_t:sock_file write;

which seems semantically the same as what you suggest.  (Usually I use audit2allow -M whatever and then tell ansible to do semodule -i whatever.pp, but I'm hoping this can be fixed up officially before I have to go that far.)

(In reply to Jason Tibbitts from comment #4)
> That is indeed the only AVC that is seen in permissive mode.  So far I've
> just been using the result of audit2allow:
> 
> allow gssd_t sssd_var_run_t:sock_file write;
> 

That's equivalent of using gssd-kcm.cil.

> which seems semantically the same as what you suggest.  (Usually I use
> audit2allow -M whatever and then tell ansible to do semodule -i whatever.pp,
> but I'm hoping this can be fixed up officially before I have to go that far.)

Thank you very much for running in enforcing mode.
I'll try to contribute patch very soon.

I'm not sure if this warrants a separate bug, but I happened to notice another AVC related to the SSSD KCM:

type=AVC msg=audit(1510696913.427:3141): avc:  denied  { write } for  pid=25547 comm="sshd" name=".heim_org.h5l.kcm-socket" dev="tmpfs" ino=22056 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_var_run_t:s0 tclass=sock_file permissive=0

I believe this happens when a user logs in via SSH using GSSAPI auth.  It does appear to forward the credentials OK (and store them in the KCM) so I'm not sure what, if anything, is broken by this.

I suspect there are several other KCM-related selinux issues around.  I'm not sure if the full set of things which will talk to it has been audited.  However, the can_use_kerberos_kcm() macro proposed earlier does make a good bit of sense.  (To me, at least.)

An update: the above AVC for sshd_t writing to sshd_var_run_t does prevent sshd from creating the credential cache for the user.  So if I have no existing ccache on the machine, I can't log in via ssh because my home directory can't be mounted.

Even in permissive mode, there's just the one AVC.  I'll add it to my local overrides.

selinux-policy-3.13.1-283.16.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-5178e6a393

selinux-policy-3.13.1-283.16.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-5178e6a393

selinux-policy-3.13.1-283.16.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.