Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be unavailable on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 228109 - avc: rpc.svcgssd write to kdc.conf
Summary: avc: rpc.svcgssd write to kdc.conf
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 6
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
Whiteboard: bzcl34nup
Depends On:
TreeView+ depends on / blocked
Reported: 2007-02-10 00:15 UTC by Jerry James
Modified: 2008-04-04 15:10 UTC (History)
2 users (show)

Fixed In Version: selinux-policy-2.4.6-38
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2008-04-04 15:10:41 UTC
Type: ---

Attachments (Terms of Use)

Description Jerry James 2007-02-10 00:15:12 UTC
Description of problem:
I have a group of workstations using Kerberos + LDAP + NFS.  On the server, I am
getting an AVC denying rpc.svcgssd write access to
/var/kerberos/krb5kdc/kdc.conf.  I have no idea why it would need to write kdc.conf.

avc: denied { write } for comm="rpc.svcgssd" dev=dm-0 egid=0 euid=0
exe="/usr/sbin/rpc.svcgssd" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="kdc.conf"
pid=3344 scontext=system_u:system_r:gssd_t:s0 sgid=0
subj=system_u:system_r:gssd_t:s0 suid=0 tclass=file
tcontext=system_u:object_r:krb5kdc_conf_t:s0 tty=(none) uid=0

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Set up Kerberos
Actual results:
rpc.svcgssd is denied write access to kdc.conf

Expected results:
I expect that rpc.svcgssd doesn't need to write kdc.conf, but I don't know how
it is implemented.

Additional info:

Comment 1 Daniel Walsh 2007-02-12 15:37:53 UTC
Are you running in permissive mode?

The kerberos libraries are designed to check the access of all files that they
are manageing/reading.  So when the library loads it checks whether it has write
access to kdc.conf.  This triggers the AVC.  We have reading  of these
dontaudited, and I would have expected the library not to check the write if the
read failed, but in permissive mode it would have continued.  I will add a
dontaudit for the write to prevent the avc in the future. 

Comment 2 Jerry James 2007-02-12 16:07:59 UTC
Yes, I am running in permissive mode.  Enforcing mode just wasn't working at all
when I first tried it.  However, since this is the only AVC I've gotten in the
last several days, it appears likely that you've fixed the other issues.  I'll
try enforcing mode again and see how it goes.  Thanks!

Comment 3 Daniel Walsh 2007-02-14 20:40:03 UTC
Should work fine in enforcing mode.  Please report any problems you see.

Dontaudit attempt to write in 

Comment 4 Jerry James 2007-07-19 03:53:55 UTC
My main page told me to verify this, so I'm changing the status to "Verified"
(because it does work for me) and hoping that's really what I am supposed to do.
 If I've made an error, whack me with a clue stick.

Comment 5 Bug Zapper 2008-04-04 06:10:51 UTC
Fedora apologizes that these issues have not been resolved yet. We're
sorry it's taken so long for your bug to be properly triaged and acted
on. We appreciate the time you took to report this issue and want to
make sure no important bugs slip through the cracks.

If you're currently running a version of Fedora Core between 1 and 6,
please note that Fedora no longer maintains these releases. We strongly
encourage you to upgrade to a current Fedora release. In order to
refocus our efforts as a project we are flagging all of the open bugs
for releases which are no longer maintained and closing them.

If this bug is still open against Fedora Core 1 through 6, thirty days
from now, it will be closed 'WONTFIX'. If you can reporduce this bug in
the latest Fedora version, please change to the respective version. If
you are unable to do this, please add a comment to this bug requesting
the change.

Thanks for your help, and we apologize again that we haven't handled
these issues to this point.

The process we are following is outlined here:

We will be following the process here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping to ensure this
doesn't happen again.

And if you'd like to join the bug triage team to help make things
better, check out http://fedoraproject.org/wiki/BugZappers

Comment 6 Jerry James 2008-04-04 15:10:41 UTC
This was solved long ago as indicated in Comment #3.

Note You need to log in before you can comment on or make changes to this bug.