From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050512 Fedora/1.0.4-2 Firefox/1.0.4 Description of problem: With enforcing on, the mount mount -t nfs4 -o sec=krb5,ro host:/path/to/mount /mnt/mnt hangs with errors like May 17 12:25:25 xxx rpc.gssd[1891]: ERROR: can't open clnt0/info: Permission denied May 17 12:25:25 xxx rpc.gssd[1891]: ERROR: failed to read service info May 17 12:25:25 xxx kernel: audit(1116329125.396:0): avc: denied { read } for name=info dev=rpc_pipefs ino=2 scontext=system_u:system_r:gssd_t tcontext=system_u:object_r:rpc_pipefs_t tclass=file With enforcing off it works with warnings May 17 12:44:38 xxx kernel: audit(1116330278.901:0): avc: denied { read } for name=info dev=rpc_pipefs ino=2 scontext=system_u:system_r:gssd_t tcontext=system_u:object_r:rpc_pipefs_t tclass=file May 17 12:44:39 xxx kernel: audit(1116330279.045:0): avc: denied { setuid } for capability=7 scontext=system_u:system_r:gssd_t tcontext=system_u:system_r:gssd_t tclass=capability The file in question is /var/lib/nfs/rpc_pipefs/nfs/clnt0/info (clnt1-clnt3 at least are also possible). Version-Release number of selected component (if applicable): selinux-policy-targeted-1.23.14-2 How reproducible: Always Steps to Reproduce: 1. Try the above mount command Additional info:
Do you have any idea what executable it is trying to run that is setuid? Dan
There are 3 processes involved, the mount command, and the daemons rpc.idmapd and rpc.gssd . From an strace of rpc.gssd while the mount command was run I can see the call (in permissive mode) setresuid32(-1,0,-1)=0 probably in utils/gssd/gssd_proc.c in the nfs-utils package if you want to look at the code.
Fixed in selinux-policy-*-1.23.16-3