Bug 1584185 - nfs mount with krb5 fails when selinux is enforcing
Summary: nfs mount with krb5 fails when selinux is enforcing
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 28
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-05-30 12:53 UTC by J. Bruce Fields
Modified: 2018-07-29 03:22 UTC (History)
6 users (show)

Fixed In Version: selinux-policy-3.14.1-36.fc28
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-07-29 03:22:55 UTC
Type: Bug


Attachments (Terms of Use)
ausearch output (165.61 KB, text/x-vhdl)
2018-06-11 18:50 UTC, J. Bruce Fields
no flags Details

Description J. Bruce Fields 2018-05-30 12:53:36 UTC
A krb5 NFS mount:

  # mount -tnfs -overs=4,sec-krb5 test1.fieldses.org:/exports/xfs /mnt/

results in:

  mount.nfs: access denied by server while mounting test1.fieldses.org:/exports/xfs

and I see this in the logs:

  May 25 16:12:18 test2.fieldses.org audit[4401]: AVC avc:  denied  { write } for  pid=4401 comm="rpc.gssd" scontext=system_u:system_r:gssd_t:s0 tcontext=syste>
  May 25 16:12:18 test2.fieldses.org audit[4368]: AVC avc:  denied  { getattr } for  pid=4368 comm="gssproxy" path="/usr/sbin/rpc.gssd" dev="dm-0" ino=4570293 >
  May 25 16:12:18 test2.fieldses.org gssproxy[4362]: gssproxy[4368]: Unexpected failure in realpath: 13 (Permission denied)
  May 25 16:12:18 test2.fieldses.org gssproxy[4368]: Unexpected failure in realpath: 13 (Permission denied)
  May 25 16:12:18 test2.fieldses.org audit[4401]: AVC avc:  denied  { write } for  pid=4401 comm="rpc.gssd" scontext=system_u:system_r:gssd_t:s0 tcontext=syste>
  May 25 16:12:18 test2.fieldses.org rpc.gssd[4401]: ERROR: GSS-API: error in gss_acquire_cred(): GSS_S_FAILURE (Unspecified GSS failure.  Minor code may provi>
  May 25 16:12:18 test2.fieldses.org rpc.gssd[4401]: WARNING: Failed while limiting krb5 encryption types for user with uid 0
  May 25 16:12:18 test2.fieldses.org rpc.gssd[4401]: WARNING: Failed to create machine krb5 context with cred cache FILE:/tmp/krb5ccmachine_FIELDSES.ORG for se>

But after "setenforce 0" the mount succeeds.

Apologies if this isn't he correct component to assign this to....

Comment 1 Lukas Vrabec 2018-05-30 22:29:08 UTC
Hi, 

Could you please reproduce the scenario and then attach output of:
# ausearch -m AVC -ts today 

Your logs are not complete. 

THanks,
Lukas.

Comment 2 J. Bruce Fields 2018-06-11 18:50:30 UTC
Created attachment 1450178 [details]
ausearch output

Comment 3 Fedora Update System 2018-07-25 22:28:35 UTC
selinux-policy-3.14.1-36.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-1050fb248b

Comment 4 Fedora Update System 2018-07-26 16:31:00 UTC
selinux-policy-3.14.1-36.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-1050fb248b

Comment 5 Fedora Update System 2018-07-29 03:22:55 UTC
selinux-policy-3.14.1-36.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.