Bug 228109 - avc: rpc.svcgssd write to kdc.conf
avc: rpc.svcgssd write to kdc.conf
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
6
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
bzcl34nup
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-02-09 19:15 EST by Jerry James
Modified: 2008-04-04 11:10 EDT (History)
2 users (show)

See Also:
Fixed In Version: selinux-policy-2.4.6-38
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-04-04 11:10:41 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jerry James 2007-02-09 19:15:12 EST
Description of problem:
I have a group of workstations using Kerberos + LDAP + NFS.  On the server, I am
getting an AVC denying rpc.svcgssd write access to
/var/kerberos/krb5kdc/kdc.conf.  I have no idea why it would need to write kdc.conf.

avc: denied { write } for comm="rpc.svcgssd" dev=dm-0 egid=0 euid=0
exe="/usr/sbin/rpc.svcgssd" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="kdc.conf"
pid=3344 scontext=system_u:system_r:gssd_t:s0 sgid=0
subj=system_u:system_r:gssd_t:s0 suid=0 tclass=file
tcontext=system_u:object_r:krb5kdc_conf_t:s0 tty=(none) uid=0

Version-Release number of selected component (if applicable):
selinux-policy-2.4.6-35.fc6

How reproducible:
Always

Steps to Reproduce:
1. Set up Kerberos
2.
3.
  
Actual results:
rpc.svcgssd is denied write access to kdc.conf

Expected results:
I expect that rpc.svcgssd doesn't need to write kdc.conf, but I don't know how
it is implemented.

Additional info:
Comment 1 Daniel Walsh 2007-02-12 10:37:53 EST
Are you running in permissive mode?

The kerberos libraries are designed to check the access of all files that they
are manageing/reading.  So when the library loads it checks whether it has write
access to kdc.conf.  This triggers the AVC.  We have reading  of these
dontaudited, and I would have expected the library not to check the write if the
read failed, but in permissive mode it would have continued.  I will add a
dontaudit for the write to prevent the avc in the future. 
Comment 2 Jerry James 2007-02-12 11:07:59 EST
Yes, I am running in permissive mode.  Enforcing mode just wasn't working at all
when I first tried it.  However, since this is the only AVC I've gotten in the
last several days, it appears likely that you've fixed the other issues.  I'll
try enforcing mode again and see how it goes.  Thanks!
Comment 3 Daniel Walsh 2007-02-14 15:40:03 EST
Should work fine in enforcing mode.  Please report any problems you see.

Dontaudit attempt to write in 
selinux-policy-2.4.6-38
Comment 4 Jerry James 2007-07-18 23:53:55 EDT
My main page told me to verify this, so I'm changing the status to "Verified"
(because it does work for me) and hoping that's really what I am supposed to do.
 If I've made an error, whack me with a clue stick.
Comment 5 Bug Zapper 2008-04-04 02:10:51 EDT
Fedora apologizes that these issues have not been resolved yet. We're
sorry it's taken so long for your bug to be properly triaged and acted
on. We appreciate the time you took to report this issue and want to
make sure no important bugs slip through the cracks.

If you're currently running a version of Fedora Core between 1 and 6,
please note that Fedora no longer maintains these releases. We strongly
encourage you to upgrade to a current Fedora release. In order to
refocus our efforts as a project we are flagging all of the open bugs
for releases which are no longer maintained and closing them.
http://fedoraproject.org/wiki/LifeCycle/EOL

If this bug is still open against Fedora Core 1 through 6, thirty days
from now, it will be closed 'WONTFIX'. If you can reporduce this bug in
the latest Fedora version, please change to the respective version. If
you are unable to do this, please add a comment to this bug requesting
the change.

Thanks for your help, and we apologize again that we haven't handled
these issues to this point.

The process we are following is outlined here:
http://fedoraproject.org/wiki/BugZappers/F9CleanUp

We will be following the process here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping to ensure this
doesn't happen again.

And if you'd like to join the bug triage team to help make things
better, check out http://fedoraproject.org/wiki/BugZappers
Comment 6 Jerry James 2008-04-04 11:10:41 EDT
This was solved long ago as indicated in Comment #3.

Note You need to log in before you can comment on or make changes to this bug.