1665815 – SELinux sometimes prevents sec=krb5 mounts [rhel-7.6.z]

Bug 1665815 - SELinux sometimes prevents sec=krb5 mounts [rhel-7.6.z]

Summary: SELinux sometimes prevents sec=krb5 mounts [rhel-7.6.z]

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.4
Hardware:	All
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:	Mirek Jahoda
URL:
Whiteboard:
Depends On:	1487350
Blocks:
TreeView+	depends on / blocked

Reported:	2019-01-14 07:37 UTC by RAD team bot copy to z-stream
Modified:	2019-01-29 17:24 UTC (History)
CC List:	9 users (show)
Fixed In Version:	selinux-policy-3.13.1-229.el7_6.9
Doc Type:	Bug Fix
Doc Text:	Previously, an allow rule for the gssd_t type was missing in the SELinux policy. As a consequence, SELinux in enforcing mode occasionally prevented processes running as gssd_t from accessing kernel keyrings of other processes and could block for example sec=krb5 mounts. The rule has been added to the policy, and processes running as gssd_t are now able to access keyrings of other processes.
Clone Of:	1487350
Environment:
Last Closed:	2019-01-29 17:24:35 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1532243	0	medium	CLOSED	SELinux is preventing /usr/sbin/rpc.gssd from read access on the key Unknown.	2021-02-22 00:41:40 UTC
Red Hat Product Errata	RHBA-2019:0192	0	None	None	None	2019-01-29 17:24:36 UTC

Description RAD team bot copy to z-stream 2019-01-14 07:37:50 UTC

This bug has been copied from bug #1487350 and has been proposed to be backported to 7.6 z-stream (EUS).

Comment 2 Lukas Vrabec 2019-01-14 11:26:56 UTC

commit a7ea73e34ec7a875c21939b4ee6339f350598549 (HEAD -> rhel7.6-contrib, origin/rhel7.6-contrib)
Author: Lukas Vrabec <lvrabec>
Date:   Sun Jan 13 20:27:19 2019 +0100

    Allow gssd_t domain to read/write kernel keyrings of every domain.
    Resolves: rhbz#1665815
    
    This looks like a race condition bug in nfs version 4 when NFS is using
    kerberos for security.

commit 629d0bd3ce2797a7caf75ad1d6fea2fe2fcb6e05 (HEAD -> rhel7.6-base, origin/rhel7.6-base)
Author: Lukas Vrabec <lvrabec>
Date:   Sun Jan 13 19:29:52 2019 +0100

    Add interface domain_rw_all_domains_keyrings()
    Resolves: rhbz#1665815

Comment 4 Lukas Vrabec 2019-01-17 15:08:08 UTC

commit 767a049360aedc2ca2ae42bbd0f7f0c05af1ee0a (HEAD -> rhel7.6-base, origin/rhel7.6-base)
Author: Lukas Vrabec <lvrabec>
Date:   Thu Jan 17 15:47:09 2019 +0100

    Add new interface domain_manage_all_domains_keyrings()
    
    Resolves: rhbz#1665815


commit b51c2dd75b2de1bf691e455026dc937f7d17f49a (HEAD -> rhel7.6-contrib, origin/rhel7.6-contrib)
Author: Lukas Vrabec <lvrabec>
Date:   Thu Jan 17 15:51:28 2019 +0100

    Allow gssd_t domain to manage kernel keyrings of every domain.
    Resolves: rhbz#1665815
    
    This looks like a race condition bug in nfs version 4 when NFS is using kerberos for security.

Comment 8 errata-xmlrpc 2019-01-29 17:24:35 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0192

Note You need to log in before you can comment on or make changes to this bug.