1729756 – rpc-gssd cannot create security context if selinux is enforcing

Bug 1729756 - rpc-gssd cannot create security context if selinux is enforcing

Summary: rpc-gssd cannot create security context if selinux is enforcing

Keywords:
Status:	NEW
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	nfs-utils
Sub Component:
Version:	7.6
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Steve Dickson
QA Contact:	Yongcheng Yang
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-07-14 09:44 UTC by Lukas Hejtmanek
Modified:	2019-07-22 23:42 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Lukas Hejtmanek 2019-07-14 09:44:00 UTC

Description of problem:
If selinux is enforcing and NFSv4 client uses KRB5 security and ssh is configured with GSSAPI, rpc.gssd cannot create security context:
rpc.gssd[75903]: ERROR: GSS-API: error in gss_acquire_cred(): GSS_S_FAILURE (Unspecified GSS failure.  Minor code may provide more information) - (0x9ae73ac4)
rpc.gssd[75903]: WARNING: Failed while limiting krb5 encryption types for user with uid 0
rpc.gssd[75903]: WARNING: Failed to create machine krb5context with cred cache FILE:/tmp/krb5ccmachine_ICS.MUNI.CZ for server storage-brno3-cerit.metacentrum.cz

I believe, this is due to:
type=AVC msg=audit(1563060569.732:5664): avc:  denied  { unlink } for  pid=46136 comm="rpc.gssd" name="krb5cc_0" dev="md126p4" ino=67160166 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=1

this is the file:
ls -Z /tmp/krb5cc_0
-rw-------. root root system_u:object_r:gssd_tmp_t:s0  /tmp/krb5cc_0

if I set selinux to permissive, everything works.

Version-Release number of selected component (if applicable):
everything from 7.6 RHEL up to date.

Comment 2 Yongcheng Yang 2019-07-15 03:36:19 UTC

(In reply to Lukas Hejtmanek from comment #0)
Hey Lukas,

I didn't see this AVC during my krb5/NFS testings.

> this is the file:
> ls -Z /tmp/krb5cc_0
> -rw-------. root root system_u:object_r:gssd_tmp_t:s0  /tmp/krb5cc_0

It's different from my side:

[root]# ls -Z /tmp/krb5cc_0
-rw-------. root root unconfined_u:object_r:user_tmp_t:s0 /tmp/krb5cc_0
[root]# getenforce
Enforcing

> 
> Version-Release number of selected component (if applicable):
> everything from 7.6 RHEL up to date.

By the way, have you tried any version before 7.6? Does it work as expected?

Comment 3 Lukas Hejtmanek 2019-07-15 12:41:39 UTC

Did you try to mount any kerberize NFS volume while there is that -rw-------. root root unconfined_u:object_r:user_tmp_t:s0 /tmp/krb5cc_0 file?

I did not test any previous version.

Comment 4 Yongcheng Yang 2019-07-19 07:43:58 UTC

Okay, after mounting as krb5, the "security context" is updated to "system_u:object_r:gssd_tmp_t:s0".

But I still didn't encounter the failure of comment #0:
-----------------------------------------------------
[root ~]# mount -t nfs4 -o sec=krb5 $HOSTNAME:/ /mnt/
[root ~]# nfsstat -m
/mnt from rhel-7.7.redhat.com:/
 Flags: rw,relatime,vers=4.1,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=krb5,clientaddr=10.10.10.10,local_lock=none,addr=10.10.10.10

[root ~]# ls -Z /tmp/krb5cc_0
-rw-------. root root system_u:object_r:gssd_tmp_t:s0  /tmp/krb5cc_0
                      ^^^^^^^^^
[root ~]# grep gssd /var/log/messages | egrep -i "err|warn"
[root ~]# grep denied /var/log/audit/audit.log 
[root ~]#

Comment 5 Lukas Hejtmanek 2019-07-22 23:42:09 UTC

[root@ursa ~]# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      31
[root@ursa ~]#

[root@ursa ~]# mount -t nfs4 -o sec=krb5 storage-brno1-cerit.metacentrum.cz:/ /mnt/storage-brno1-cerit
mount.nfs4: access denied by server while mounting storage-brno1-cerit.metacentrum.cz:/
[root@ursa ~]# ls -Z /tmp/krb5cc_0
-rw-------. root root system_u:object_r:tmp_t:s0       /tmp/krb5cc_0
[root@ursa ~]# 

[root@ursa ~]# date
Tue Jul 23 01:35:50 CEST 2019
[root@ursa ~]# grep gssd /var/log/messages | egrep -i "err|warn"
[root@ursa ~]# grep denied /var/log/audit/audit.log
type=AVC msg=audit(1563838547.187:235): avc:  denied  { unlink } for  pid=45595 comm="rpc.gssd" name="krb5cc_0" dev="md126p4" ino=67160166 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=0
type=AVC msg=audit(1563838547.189:236): avc:  denied  { unlink } for  pid=45595 comm="rpc.gssd" name="krb5cc_0" dev="md126p4" ino=67160166 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=0
type=AVC msg=audit(1563838547.191:237): avc:  denied  { unlink } for  pid=45595 comm="rpc.gssd" name="krb5cc_0" dev="md126p4" ino=67160166 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=0
type=AVC msg=audit(1563838547.193:238): avc:  denied  { unlink } for  pid=45595 comm="rpc.gssd" name="krb5cc_0" dev="md126p4" ino=67160166 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=0
type=AVC msg=audit(1563838547.196:239): avc:  denied  { unlink } for  pid=45595 comm="rpc.gssd" name="krb5cc_0" dev="md126p4" ino=67160166 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=0
type=AVC msg=audit(1563838547.198:240): avc:  denied  { unlink } for  pid=45595 comm="rpc.gssd" name="krb5cc_0" dev="md126p4" ino=67160166 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=0
type=AVC msg=audit(1563838547.252:241): avc:  denied  { unlink } for  pid=45595 comm="rpc.gssd" name="krb5cc_0" dev="md126p4" ino=67160166 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=0
type=AVC msg=audit(1563838547.254:242): avc:  denied  { unlink } for  pid=45595 comm="rpc.gssd" name="krb5cc_0" dev="md126p4" ino=67160166 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=0
type=AVC msg=audit(1563838547.256:243): avc:  denied  { unlink } for  pid=45595 comm="rpc.gssd" name="krb5cc_0" dev="md126p4" ino=67160166 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=0
type=AVC msg=audit(1563838547.257:244): avc:  denied  { unlink } for  pid=45595 comm="rpc.gssd" name="krb5cc_0" dev="md126p4" ino=67160166 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=0
type=AVC msg=audit(1563838547.270:245): avc:  denied  { unlink } for  pid=45595 comm="rpc.gssd" name="krb5cc_0" dev="md126p4" ino=67160166 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=0
type=AVC msg=audit(1563838547.272:246): avc:  denied  { unlink } for  pid=45595 comm="rpc.gssd" name="krb5cc_0" dev="md126p4" ino=67160166 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=0



[root@ursa ~]# rm /tmp/krb5cc_0
rm: remove regular file ‘/tmp/krb5cc_0’? y
[root@ursa ~]# mount -t nfs4 -o sec=krb5 storage-brno1-cerit.metacentrum.cz:/ /mnt/storage-brno1-cerit
[root@ursa ~]# 

[root@ursa ~]# ls -Z /tmp/krb5cc_0
-rw-------. root root system_u:object_r:gssd_tmp_t:s0  /tmp/krb5cc_0
[root@ursa ~]#

Note You need to log in before you can comment on or make changes to this bug.