RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1951093 - RFE: Grant rpc.gssd access to $HOME/.k5identity in selinux-policy
Summary: RFE: Grant rpc.gssd access to $HOME/.k5identity in selinux-policy
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: selinux-policy
Version: 8.5
Hardware: All
OS: Linux
medium
medium
Target Milestone: beta
: 8.5
Assignee: Patrik Koncity
QA Contact: Amith
URL:
Whiteboard:
Depends On:
Blocks: 1868087 1995594
TreeView+ depends on / blocked
 
Reported: 2021-04-19 15:47 UTC by Jacob Shivers
Modified: 2024-12-20 19:55 UTC (History)
10 users (show)

Fixed In Version: selinux-policy-3.14.3-71.el8
Doc Type: Enhancement
Doc Text:
Feature: Support in selinux-policy to allow rpc.gssd apply the rules from $HOME/.k5identity Reason: BZ#1868087 extends the rpc.gssd capability to scan for $HOME/.k5identity to know the preferred UPN when reading the user's DEFCKTNAME, but SELinux prevents access to $HOME and $HOME/.k5identity. Result: rpc.ggsd has access to the required files so that it is manageable which Kerberos principals are used to access a given resource.
Clone Of:
: 1980610 1995594 (view as bug list)
Environment:
Last Closed: 2021-11-09 19:43:05 UTC
Type: Bug
Target Upstream Version:
Embargoed:
pm-rhel: mirror+

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 5311981 0 None None None 2021-04-19 15:51:21 UTC
Red Hat Product Errata RHBA-2021:4420 0 None None None 2021-11-09 19:43:42 UTC

Internal Links: 1980610

Description Jacob Shivers 2021-04-19 15:47:27 UTC 
Description of problem:


BZ1868087 extends rpc.gssd capability to scan for $HOME/.k5identity to know the preferred UPN when reading the user's DEFCKTNAME. If rpc.gssd is properly constrained, SELinux prevents access to $HOME and $HOME/.k5identity.

SELinux needs to include a means to grant access to those files even when rpc.gssd is running as the effective UID as the user who invoked the process.

Version-Release number of selected component (if applicable):

RHEL 8.5, though a 8.4z may be necessary
Fedora 34.

How reproducible:

100%

Steps to Reproduce:
1. Install nfs-utils from BZ1868087
2. Create user $HOME/.k5identity file for test user.
3. Mount then access Kerberized NFS share as user leveraging DEFCKTNAME

Actual results:

rpc.gssd will acquire a TGT with the first principal found in DEFCKTNAME and will not match based on rules in $HOME/.k5identity.

Expected results:

Principal associated with nfs server defined in $HOME/.k5identity is used by rpc.gssd.

Additional info:

BZ1868087#18 demonstrates this behavior.

To address the above behavior, rpc.gssd requires:

SELinux search capability for $HOME which is labeled user_home_dir_t
SELinux open, read, getattr capability for $HOME/.k5identity which is currently labeled user_home_t.

$HOME/.k5identity should probably be changed to krb5_home_t by default to match $HOME/.k5login and $HOME/.k5users as noted below.

# semanage fcontext -l | grep k5
/home/[^/]+/\.k5login                              regular file       unconfined_u:object_r:krb5_home_t:s0 
/home/[^/]+/\.k5users                              regular file       unconfined_u:object_r:krb5_home_t:s0 
/root/\.k5login                                    regular file       system_u:object_r:krb5_home_t:s0 
/root/\.k5users                                    regular file       system_u:object_r:krb5_home_t:s0

It is suggested that a boolean be used to grant the required access to rpc.gssd as the requirement is not the default behavior for the binary. The use_nfs_home_dirs boolean has been used for when NFS activity is specific to a certain use-case versus the default behavior.
Comment 3 Patrik Koncity 2021-05-27 13:05:32 UTC 
(In reply to Jacob Shivers from comment #0)

Hi Jacob,

Could you more explain step by step how reproduce this bug? 

> Steps to Reproduce:

Also could you sent link of nfs-utils rpm? It seem's like links in another bugzilla already aren't valid.

> 1. Install nfs-utils from BZ1868087
> 2. Create user $HOME/.k5identity file for test user.
> 3. Mount then access Kerberized NFS share as user leveraging DEFCKTNAME
Comment 4 Jacob Shivers 2021-05-27 13:52:44 UTC 
(In reply to Patrik Koncity from comment #3)
> (In reply to Jacob Shivers from comment #0)
> 
> Hi Jacob,
> 
> Could you more explain step by step how reproduce this bug? 
> 

Certainly

> > Steps to Reproduce:
> 
> Also could you sent link of nfs-utils rpm? It seem's like links in another
> bugzilla already aren't valid.
> 
> > 1. Install nfs-utils from BZ1868087
> > 2. Create user $HOME/.k5identity file for test user.
> > 3. Mount then access Kerberized NFS share as user leveraging DEFCKTNAME

The original test rpms have expired, but I have original copies saved at http://file.rdu.redhat.com/~jshivers/test_rpms/bugzillas/1868087/. Updated test RPMs can also be found at https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=36725096 for the 8.5 candidate test.

This setup will require a Kerberized environment with a NFS server configured to support Kerberos and a NFS client joined to the same Kerberos realm. c#18 in BZ1868087 goes over the client configuration setup, but the existing infrastructure may be what requires further explanation.

QA for fs has an environment that was used for testing. If this environment can not be accessed, I can certainly set something up that can be accessed for testing and review.

I have an older document, that needs updating including for RHEL8, here ( http://file.rdu.redhat.com/~jshivers/configs/ipa-install_training ) to go over setting up an IPA environment for Kerberzied remote filesystems. If anything more specific is needed or further clarity requested, please inform me.
Comment 5 Yongcheng Yang 2021-05-28 01:14:28 UTC 
As https://bugzilla.redhat.com/show_bug.cgi?id=1868087#c33
---
type=AVC msg=audit(1620890462.356:230): avc:  denied  { search } for  pid=20665 comm="rpc.gssd" name="testUser" dev="dm-0" ino=67330672 scontext=system_u:system_r:gssd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=0

If this is the warning that going to be fixed, I can verify the new package with our nfs testcase.
Comment 6 Jacob Shivers 2021-05-28 12:59:09 UTC 
(In reply to Yongcheng Yang from comment #5)
> As https://bugzilla.redhat.com/show_bug.cgi?id=1868087#c33
> ---
> type=AVC msg=audit(1620890462.356:230): avc:  denied  { search } for 
> pid=20665 comm="rpc.gssd" name="testUser" dev="dm-0" ino=67330672
> scontext=system_u:system_r:gssd_t:s0
> tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=0
> 
> If this is the warning that going to be fixed, I can verify the new package
> with our nfs testcase.

It should be that error and an open/read error for .k5identity like seen in https://bugzilla.redhat.com/show_bug.cgi?id=1868087#c18
Comment 7 Steve Dickson 2021-05-31 18:56:56 UTC 
commit 05bacfed6df3f336c50326c7c6f4c3677c7f7d70
Author: Jacob Shivers <jshivers>
Date:   Mon Mar 15 09:22:57 2021 -0400

    gssd: Add options to rpc.gssd to allow for the use of $HOME/.k5identity file
Comment 8 Yongcheng Yang 2021-06-01 03:34:09 UTC 
(In reply to Steve Dickson from comment #7)
> commit 05bacfed6df3f336c50326c7c6f4c3677c7f7d70
> Author: Jacob Shivers <jshivers>
> Date:   Mon Mar 15 09:22:57 2021 -0400
> 
>     gssd: Add options to rpc.gssd to allow for the use of $HOME/.k5identity
> file

Hi SteveD, JFYI that this bug is for selinux-policy (NOT nfs-utils).

Above patch you mentioned has already been imported as https://bugzilla.redhat.com/show_bug.cgi?id=1868087#c22
Comment 9 Steve Dickson 2021-06-01 19:37:08 UTC 
(In reply to Yongcheng Yang from comment #8)
> (In reply to Steve Dickson from comment #7)
> > commit 05bacfed6df3f336c50326c7c6f4c3677c7f7d70
> > Author: Jacob Shivers <jshivers>
> > Date:   Mon Mar 15 09:22:57 2021 -0400
> > 
> >     gssd: Add options to rpc.gssd to allow for the use of $HOME/.k5identity
> > file
> 
> Hi SteveD, JFYI that this bug is for selinux-policy (NOT nfs-utils).
> 
> Above patch you mentioned has already been imported as
> https://bugzilla.redhat.com/show_bug.cgi?id=1868087#c22

Thanks! I like bugs like this!!! :-)
Comment 11 Patrik Koncity 2021-06-03 13:47:05 UTC 
Hi Jacob,

So I made build with possible fix. I label $HOME/.k5identity file as other kerberos files in $HOME and also allow additional permission, which I saw in c#18 BZ1868087 in AVC's.

Please, can you try this build if everything work properly?

Build: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=37215666

Thanks,
Patrik
Comment 12 Jacob Shivers 2021-06-03 15:58:00 UTC 
(In reply to Patrik Koncity from comment #11)
> Hi Jacob,

Hello Patrik,

> 
> So I made build with possible fix. I label $HOME/.k5identity file as other
> kerberos files in $HOME and also allow additional permission, which I saw in
> c#18 BZ1868087 in AVC's.
> 
> Please, can you try this build if everything work properly?

I have tested the build and can confirm that it works properly by allowing
rpc.gssd the necessary access to $HOME/.k5identity.

Testing below. I will note that I had already done a previous chcon for
.k5identity so this is why the label is already different.


# wget 'http://brew-task-repos.usersys.redhat.com/repos/scratch/pkoncity/selinux-policy/3.14.3/67.el8.1951093/selinux-policy-3.14.3-67.el8.1951093-scratch.repo' -P /etc/yum.repos.d/
# dnf update selinux-policy
# systemctl reboot

# grep -v '#' /etc/nfs.conf
[general]
[exportfs]
[gssd]
verbosity=3
use-gss-proxy=1
set-home=0
[lockd]
[mountd]
[nfsdcld]
[nfsdcltrack]
[nfsd]
[statd]
[sm-notify]

# strace -fvttTyyx -s 4096 -o /tmp/rpc.gssd_with_H-rhel8.strace -p $(pidof rpc.gssd) &
# getenforce 
Enforcing

# mount ad-nfs-server.example.net:/secure /mnt/ -o sec=krb5
# su - dean

$ cat .k5identity 
jeff        host=win2k16-*.example.net      service=nfs
troy        host=samba-701.example.net
dean        host=*.example.net      service=nfs

$ ls -lZ .k5identity
-rw-r--r--. 1 dean domain users unconfined_u:object_r:krb5_home_t:s0 179 Feb  7 15:15 .k5identity


$ klist
klist: No credentials cache found (filename: /tmp/krb5cc_602001124)

$ touch /mnt/gssd_with_H-rhel8-$(date +%F).txt
strace: Process 1739 attached

$ ll /mnt/gssd_with_H-rhel8-$(date +%F).txt
-rw-r--r--. 1 dean root 0 Jun  3 11:45 /mnt/gssd_with_H-rhel8-2021-06-03.txt

$ klist
Ticket cache: FILE:/tmp/krb5cc_602001124
Default principal: dean

Valid starting       Expires              Service principal
06/03/2021 11:45:19  06/03/2021 12:00:19  krbtgt/EXAMPLE.NET
06/03/2021 11:45:19  06/03/2021 12:00:19  nfs/ad-nfs-server.example.net

$ logout

# pkill strace

# ausearch -m avc -i -c rpc.gssd -ts today
<no matches>

# egrep 'geteuid|open.*k5identity' /tmp/rpc.gssd_with_H-rhel8.strace | tail -2
1739  11:45:18.317400 geteuid()         = 602001124 <0.000015>
1739  11:45:18.317527 openat(AT_FDCWD, "/home/dean/.k5identity", O_RDONLY) = 14</home/dean/.k5identity> <0.000180>


Thanks for the test package.
Comment 13 Patrik Koncity 2021-06-04 12:05:30 UTC 
Hi,

that's great. So I made PR and after merging it we will deliver this fix to selinux-policy on RHEL-8.5.0.


PR: https://github.com/fedora-selinux/selinux-policy/pull/767

Thanks, 
Patrik
Comment 14 Zdenek Pytela 2021-06-14 06:57:04 UTC 
Commit to backport:
commit 434cb2a6cb4092f49f4bba0f045f28c3660d97d1 (HEAD -> rawhide, upstream/rawhide)
Author: Patrik Koncity <pkoncity>
Date:   Mon May 31 15:15:33 2021 +0200

    Label /.k5identity file allow read of this file to rpc.gssd

    Label kerberos file $HOME/.k5identity as krb5_home_t, which
    is default label for kerberos files in HOME. Also add
    filetransition for this specific object to
    kerberos_filetrans_admin_home_content() and
    kerberos_filetrans_home_content(). And also allow
    read this HOME kerberos files for rpc.gssd. Rpc.gssd is
    daemon, which provide strong security for RPC-based protocols
    such as NFS.

    Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1951093
Comment 33 errata-xmlrpc 2021-11-09 19:43:05 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4420
Note You need to log in before you can comment on or make changes to this bug.