Bug 209940 - rpc.svcgssd: access to certificates is denied
rpc.svcgssd: access to certificates is denied
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
5
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-10-08 11:59 EDT by Joachim Selke
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-02-14 10:16:59 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Joachim Selke 2006-10-08 11:59:07 EDT
Description of problem:
I'm using NFS4 shares in combination with an LDAP user directory (secure
connection via TLS). Mounting an NFS4 share on a client does not work due to
SELinux. I get the following audit messages on the server:

type=AVC msg=audit(1160321992.232:70): avc:  denied  { search } for  pid=28777
comm="rpc.svcgssd" name="pki" dev=sda3 ino=27590693
scontext=root:system_r:gssd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir
type=SYSCALL msg=audit(1160321992.232:70): arch=c000003e syscall=2 success=no
exit=-13 a0=555555668ee0 a1=0 a2=1b6 a3=0 items=1 pid=28777 auid=0 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="rpc.svcgssd"
exe="/usr/sbin/rpc.svcgssd" subj=root:system_r:gssd_t:s0
type=CWD msg=audit(1160321992.232:70):  cwd="/"
type=PATH msg=audit(1160321992.232:70): item=0
name="/etc/pki/tls/certs/ca-bundle.crt" obj=system_u:object_r:etc_t:s0
type=AVC msg=audit(1160321992.232:71): avc:  denied  { search } for  pid=28777
comm="rpc.svcgssd" name="pki" dev=sda3 ino=27590693
scontext=root:system_r:gssd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir
type=SYSCALL msg=audit(1160321992.232:71): arch=c000003e syscall=2 success=no
exit=-13 a0=555555668ee0 a1=0 a2=1b6 a3=0 items=1 pid=28777 auid=0 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="rpc.svcgssd"
exe="/usr/sbin/rpc.svcgssd" subj=root:system_r:gssd_t:s0
type=CWD msg=audit(1160321992.232:71):  cwd="/"
type=PATH msg=audit(1160321992.232:71): item=0
name="/etc/pki/tls/certs/ca-bundle.crt" obj=system_u:object_r:etc_t:s0
type=AVC msg=audit(1160321996.240:72): avc:  denied  { search } for  pid=28777
comm="rpc.svcgssd" name="pki" dev=sda3 ino=27590693
scontext=root:system_r:gssd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir
type=SYSCALL msg=audit(1160321996.240:72): arch=c000003e syscall=2 success=no
exit=-13 a0=555555668ee0 a1=0 a2=1b6 a3=0 items=1 pid=28777 auid=0 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="rpc.svcgssd"
exe="/usr/sbin/rpc.svcgssd" subj=root:system_r:gssd_t:s0
type=CWD msg=audit(1160321996.240:72):  cwd="/"
type=PATH msg=audit(1160321996.240:72): item=0
name="/etc/pki/tls/certs/ca-bundle.crt" obj=system_u:object_r:etc_t:s0

It seems to me that rpc.svcgssd is not allowed to access the certificates that
are neccessary to use the LDAP connection via TLS.


Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.3.7-2.fc5
Comment 1 Daniel Walsh 2007-02-14 10:16:59 EST
All of these bugs should be fixed in FC6,  You could attempt to use the FC6
policy on FC5 or upgrade.  Or you could use 

audit2allow -M mypolicy -i /var/log/audit/audit.log 
and build local customized policy

Note You need to log in before you can comment on or make changes to this bug.