Red Hat Bugzilla – Bug 228109
avc: rpc.svcgssd write to kdc.conf
Last modified: 2008-04-04 11:10:41 EDT
Description of problem: I have a group of workstations using Kerberos + LDAP + NFS. On the server, I am getting an AVC denying rpc.svcgssd write access to /var/kerberos/krb5kdc/kdc.conf. I have no idea why it would need to write kdc.conf. avc: denied { write } for comm="rpc.svcgssd" dev=dm-0 egid=0 euid=0 exe="/usr/sbin/rpc.svcgssd" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="kdc.conf" pid=3344 scontext=system_u:system_r:gssd_t:s0 sgid=0 subj=system_u:system_r:gssd_t:s0 suid=0 tclass=file tcontext=system_u:object_r:krb5kdc_conf_t:s0 tty=(none) uid=0 Version-Release number of selected component (if applicable): selinux-policy-2.4.6-35.fc6 How reproducible: Always Steps to Reproduce: 1. Set up Kerberos 2. 3. Actual results: rpc.svcgssd is denied write access to kdc.conf Expected results: I expect that rpc.svcgssd doesn't need to write kdc.conf, but I don't know how it is implemented. Additional info:
Are you running in permissive mode? The kerberos libraries are designed to check the access of all files that they are manageing/reading. So when the library loads it checks whether it has write access to kdc.conf. This triggers the AVC. We have reading of these dontaudited, and I would have expected the library not to check the write if the read failed, but in permissive mode it would have continued. I will add a dontaudit for the write to prevent the avc in the future.
Yes, I am running in permissive mode. Enforcing mode just wasn't working at all when I first tried it. However, since this is the only AVC I've gotten in the last several days, it appears likely that you've fixed the other issues. I'll try enforcing mode again and see how it goes. Thanks!
Should work fine in enforcing mode. Please report any problems you see. Dontaudit attempt to write in selinux-policy-2.4.6-38
My main page told me to verify this, so I'm changing the status to "Verified" (because it does work for me) and hoping that's really what I am supposed to do. If I've made an error, whack me with a clue stick.
Fedora apologizes that these issues have not been resolved yet. We're sorry it's taken so long for your bug to be properly triaged and acted on. We appreciate the time you took to report this issue and want to make sure no important bugs slip through the cracks. If you're currently running a version of Fedora Core between 1 and 6, please note that Fedora no longer maintains these releases. We strongly encourage you to upgrade to a current Fedora release. In order to refocus our efforts as a project we are flagging all of the open bugs for releases which are no longer maintained and closing them. http://fedoraproject.org/wiki/LifeCycle/EOL If this bug is still open against Fedora Core 1 through 6, thirty days from now, it will be closed 'WONTFIX'. If you can reporduce this bug in the latest Fedora version, please change to the respective version. If you are unable to do this, please add a comment to this bug requesting the change. Thanks for your help, and we apologize again that we haven't handled these issues to this point. The process we are following is outlined here: http://fedoraproject.org/wiki/BugZappers/F9CleanUp We will be following the process here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping to ensure this doesn't happen again. And if you'd like to join the bug triage team to help make things better, check out http://fedoraproject.org/wiki/BugZappers
This was solved long ago as indicated in Comment #3.