Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
As rhel9 nfs-utils updating to version 2.5.4 (bz1971684), rhel8 nfs-utils rpc.gssd option "-H/set-home" (introduced in rhel8 via bz1868087) is also usable now. At the same time the AVC warning can be observed now in rhel9.
So we may also update rhel9 selinux-policy like rhel8 too.
https://beaker.engineering.redhat.com/recipes/10262464#task128561351
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33
selinux-policy-34.1.9-1.el9.noarch
----
time->Thu Jul 8 14:22:32 2021
type=PROCTITLE msg=audit(1625768552.330:403): proctitle="/usr/sbin/rpc.gssd"
type=SYSCALL msg=audit(1625768552.330:403): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7f801001e900 a2=0 a3=0 items=0 ppid=1 pid=20075 auid=4294967295 uid=2049 gid=2049 euid=2049 suid=2049 fsuid=2049 egid=2049 sgid=2049 fsgid=2049 tty=(none) ses=4294967295 comm="rpc.gssd" exe="/usr/sbin/rpc.gssd" subj=system_u:system_r:gssd_t:s0 key=(null)
type=AVC msg=audit(1625768552.330:403): avc: denied { search } for pid=20075 comm="rpc.gssd" name="testUser" dev="dm-0" ino=34023191 scontext=system_u:system_r:gssd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=0
+++ This bug was initially created as a clone of Bug #1951093 +++
Description of problem:
BZ1868087 extends rpc.gssd capability to scan for $HOME/.k5identity to know the preferred UPN when reading the user's DEFCKTNAME. If rpc.gssd is properly constrained, SELinux prevents access to $HOME and $HOME/.k5identity.
SELinux needs to include a means to grant access to those files even when rpc.gssd is running as the effective UID as the user who invoked the process.
Version-Release number of selected component (if applicable):
RHEL 8.5, though a 8.4z may be necessary
Fedora 34.
How reproducible:
100%
Steps to Reproduce:
1. Install nfs-utils from BZ1868087
2. Create user $HOME/.k5identity file for test user.
3. Mount then access Kerberized NFS share as user leveraging DEFCKTNAME
Actual results:
rpc.gssd will acquire a TGT with the first principal found in DEFCKTNAME and will not match based on rules in $HOME/.k5identity.
Expected results:
Principal associated with nfs server defined in $HOME/.k5identity is used by rpc.gssd.
Additional info:
BZ1868087#18 demonstrates this behavior.
To address the above behavior, rpc.gssd requires:
SELinux search capability for $HOME which is labeled user_home_dir_t
SELinux open, read, getattr capability for $HOME/.k5identity which is currently labeled user_home_t.
$HOME/.k5identity should probably be changed to krb5_home_t by default to match $HOME/.k5login and $HOME/.k5users as noted below.
# semanage fcontext -l | grep k5
/home/[^/]+/\.k5login regular file unconfined_u:object_r:krb5_home_t:s0
/home/[^/]+/\.k5users regular file unconfined_u:object_r:krb5_home_t:s0
/root/\.k5login regular file system_u:object_r:krb5_home_t:s0
/root/\.k5users regular file system_u:object_r:krb5_home_t:s0
It is suggested that a boolean be used to grant the required access to rpc.gssd as the requirement is not the default behavior for the binary. The use_nfs_home_dirs boolean has been used for when NFS activity is specific to a certain use-case versus the default behavior.
...
--- Additional comment from Zdenek Pytela on 2021-06-14 14:57:04 CST ---
Commit to backport:
commit 434cb2a6cb4092f49f4bba0f045f28c3660d97d1 (HEAD -> rawhide, upstream/rawhide)
Author: Patrik Koncity <pkoncity>
Date: Mon May 31 15:15:33 2021 +0200
Label /.k5identity file allow read of this file to rpc.gssd
Label kerberos file $HOME/.k5identity as krb5_home_t, which
is default label for kerberos files in HOME. Also add
filetransition for this specific object to
kerberos_filetrans_admin_home_content() and
kerberos_filetrans_home_content(). And also allow
read this HOME kerberos files for rpc.gssd. Rpc.gssd is
daemon, which provide strong security for RPC-based protocols
such as NFS.
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1951093
...