Bug 1729756 - rpc-gssd cannot create security context if selinux is enforcing
Summary: rpc-gssd cannot create security context if selinux is enforcing
Keywords:
Status: NEW
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: nfs-utils
Version: 7.6
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: rc
: ---
Assignee: Steve Dickson
QA Contact: Yongcheng Yang
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-07-14 09:44 UTC by Lukas Hejtmanek
Modified: 2019-07-22 23:42 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Target Upstream Version:


Attachments (Terms of Use)

Description Lukas Hejtmanek 2019-07-14 09:44:00 UTC
Description of problem:
If selinux is enforcing and NFSv4 client uses KRB5 security and ssh is configured with GSSAPI, rpc.gssd cannot create security context:
rpc.gssd[75903]: ERROR: GSS-API: error in gss_acquire_cred(): GSS_S_FAILURE (Unspecified GSS failure.  Minor code may provide more information) - (0x9ae73ac4)
rpc.gssd[75903]: WARNING: Failed while limiting krb5 encryption types for user with uid 0
rpc.gssd[75903]: WARNING: Failed to create machine krb5context with cred cache FILE:/tmp/krb5ccmachine_ICS.MUNI.CZ for server storage-brno3-cerit.metacentrum.cz

I believe, this is due to:
type=AVC msg=audit(1563060569.732:5664): avc:  denied  { unlink } for  pid=46136 comm="rpc.gssd" name="krb5cc_0" dev="md126p4" ino=67160166 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=1

this is the file:
ls -Z /tmp/krb5cc_0
-rw-------. root root system_u:object_r:gssd_tmp_t:s0  /tmp/krb5cc_0

if I set selinux to permissive, everything works.

Version-Release number of selected component (if applicable):
everything from 7.6 RHEL up to date.

Comment 2 Yongcheng Yang 2019-07-15 03:36:19 UTC
(In reply to Lukas Hejtmanek from comment #0)
Hey Lukas,

I didn't see this AVC during my krb5/NFS testings.

> this is the file:
> ls -Z /tmp/krb5cc_0
> -rw-------. root root system_u:object_r:gssd_tmp_t:s0  /tmp/krb5cc_0

It's different from my side:

[root]# ls -Z /tmp/krb5cc_0
-rw-------. root root unconfined_u:object_r:user_tmp_t:s0 /tmp/krb5cc_0
[root]# getenforce
Enforcing

> 
> Version-Release number of selected component (if applicable):
> everything from 7.6 RHEL up to date.

By the way, have you tried any version before 7.6? Does it work as expected?

Comment 3 Lukas Hejtmanek 2019-07-15 12:41:39 UTC
Did you try to mount any kerberize NFS volume while there is that -rw-------. root root unconfined_u:object_r:user_tmp_t:s0 /tmp/krb5cc_0 file?

I did not test any previous version.

Comment 4 Yongcheng Yang 2019-07-19 07:43:58 UTC
Okay, after mounting as krb5, the "security context" is updated to "system_u:object_r:gssd_tmp_t:s0".

But I still didn't encounter the failure of comment #0:
-----------------------------------------------------
[root ~]# mount -t nfs4 -o sec=krb5 $HOSTNAME:/ /mnt/
[root ~]# nfsstat -m
/mnt from rhel-7.7.redhat.com:/
 Flags: rw,relatime,vers=4.1,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=krb5,clientaddr=10.10.10.10,local_lock=none,addr=10.10.10.10

[root ~]# ls -Z /tmp/krb5cc_0
-rw-------. root root system_u:object_r:gssd_tmp_t:s0  /tmp/krb5cc_0
                      ^^^^^^^^^
[root ~]# grep gssd /var/log/messages | egrep -i "err|warn"
[root ~]# grep denied /var/log/audit/audit.log 
[root ~]#

Comment 5 Lukas Hejtmanek 2019-07-22 23:42:09 UTC
[root@ursa ~]# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      31
[root@ursa ~]#

[root@ursa ~]# mount -t nfs4 -o sec=krb5 storage-brno1-cerit.metacentrum.cz:/ /mnt/storage-brno1-cerit
mount.nfs4: access denied by server while mounting storage-brno1-cerit.metacentrum.cz:/
[root@ursa ~]# ls -Z /tmp/krb5cc_0
-rw-------. root root system_u:object_r:tmp_t:s0       /tmp/krb5cc_0
[root@ursa ~]# 

[root@ursa ~]# date
Tue Jul 23 01:35:50 CEST 2019
[root@ursa ~]# grep gssd /var/log/messages | egrep -i "err|warn"
[root@ursa ~]# grep denied /var/log/audit/audit.log
type=AVC msg=audit(1563838547.187:235): avc:  denied  { unlink } for  pid=45595 comm="rpc.gssd" name="krb5cc_0" dev="md126p4" ino=67160166 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=0
type=AVC msg=audit(1563838547.189:236): avc:  denied  { unlink } for  pid=45595 comm="rpc.gssd" name="krb5cc_0" dev="md126p4" ino=67160166 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=0
type=AVC msg=audit(1563838547.191:237): avc:  denied  { unlink } for  pid=45595 comm="rpc.gssd" name="krb5cc_0" dev="md126p4" ino=67160166 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=0
type=AVC msg=audit(1563838547.193:238): avc:  denied  { unlink } for  pid=45595 comm="rpc.gssd" name="krb5cc_0" dev="md126p4" ino=67160166 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=0
type=AVC msg=audit(1563838547.196:239): avc:  denied  { unlink } for  pid=45595 comm="rpc.gssd" name="krb5cc_0" dev="md126p4" ino=67160166 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=0
type=AVC msg=audit(1563838547.198:240): avc:  denied  { unlink } for  pid=45595 comm="rpc.gssd" name="krb5cc_0" dev="md126p4" ino=67160166 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=0
type=AVC msg=audit(1563838547.252:241): avc:  denied  { unlink } for  pid=45595 comm="rpc.gssd" name="krb5cc_0" dev="md126p4" ino=67160166 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=0
type=AVC msg=audit(1563838547.254:242): avc:  denied  { unlink } for  pid=45595 comm="rpc.gssd" name="krb5cc_0" dev="md126p4" ino=67160166 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=0
type=AVC msg=audit(1563838547.256:243): avc:  denied  { unlink } for  pid=45595 comm="rpc.gssd" name="krb5cc_0" dev="md126p4" ino=67160166 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=0
type=AVC msg=audit(1563838547.257:244): avc:  denied  { unlink } for  pid=45595 comm="rpc.gssd" name="krb5cc_0" dev="md126p4" ino=67160166 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=0
type=AVC msg=audit(1563838547.270:245): avc:  denied  { unlink } for  pid=45595 comm="rpc.gssd" name="krb5cc_0" dev="md126p4" ino=67160166 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=0
type=AVC msg=audit(1563838547.272:246): avc:  denied  { unlink } for  pid=45595 comm="rpc.gssd" name="krb5cc_0" dev="md126p4" ino=67160166 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=0



[root@ursa ~]# rm /tmp/krb5cc_0
rm: remove regular file ‘/tmp/krb5cc_0’? y
[root@ursa ~]# mount -t nfs4 -o sec=krb5 storage-brno1-cerit.metacentrum.cz:/ /mnt/storage-brno1-cerit
[root@ursa ~]# 

[root@ursa ~]# ls -Z /tmp/krb5cc_0
-rw-------. root root system_u:object_r:gssd_tmp_t:s0  /tmp/krb5cc_0
[root@ursa ~]#


Note You need to log in before you can comment on or make changes to this bug.