Bug 228109 - avc: rpc.svcgssd write to kdc.conf
Summary: avc: rpc.svcgssd write to kdc.conf
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
(Show other bugs)
Version: 6
Hardware: All Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard: bzcl34nup
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-02-10 00:15 UTC by Jerry James
Modified: 2008-04-04 15:10 UTC (History)
2 users (show)

Fixed In Version: selinux-policy-2.4.6-38
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-04-04 15:10:41 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Jerry James 2007-02-10 00:15:12 UTC
Description of problem:
I have a group of workstations using Kerberos + LDAP + NFS.  On the server, I am
getting an AVC denying rpc.svcgssd write access to
/var/kerberos/krb5kdc/kdc.conf.  I have no idea why it would need to write kdc.conf.

avc: denied { write } for comm="rpc.svcgssd" dev=dm-0 egid=0 euid=0
exe="/usr/sbin/rpc.svcgssd" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="kdc.conf"
pid=3344 scontext=system_u:system_r:gssd_t:s0 sgid=0
subj=system_u:system_r:gssd_t:s0 suid=0 tclass=file
tcontext=system_u:object_r:krb5kdc_conf_t:s0 tty=(none) uid=0

Version-Release number of selected component (if applicable):
selinux-policy-2.4.6-35.fc6

How reproducible:
Always

Steps to Reproduce:
1. Set up Kerberos
2.
3.
  
Actual results:
rpc.svcgssd is denied write access to kdc.conf

Expected results:
I expect that rpc.svcgssd doesn't need to write kdc.conf, but I don't know how
it is implemented.

Additional info:

Comment 1 Daniel Walsh 2007-02-12 15:37:53 UTC
Are you running in permissive mode?

The kerberos libraries are designed to check the access of all files that they
are manageing/reading.  So when the library loads it checks whether it has write
access to kdc.conf.  This triggers the AVC.  We have reading  of these
dontaudited, and I would have expected the library not to check the write if the
read failed, but in permissive mode it would have continued.  I will add a
dontaudit for the write to prevent the avc in the future. 

Comment 2 Jerry James 2007-02-12 16:07:59 UTC
Yes, I am running in permissive mode.  Enforcing mode just wasn't working at all
when I first tried it.  However, since this is the only AVC I've gotten in the
last several days, it appears likely that you've fixed the other issues.  I'll
try enforcing mode again and see how it goes.  Thanks!

Comment 3 Daniel Walsh 2007-02-14 20:40:03 UTC
Should work fine in enforcing mode.  Please report any problems you see.

Dontaudit attempt to write in 
selinux-policy-2.4.6-38

Comment 4 Jerry James 2007-07-19 03:53:55 UTC
My main page told me to verify this, so I'm changing the status to "Verified"
(because it does work for me) and hoping that's really what I am supposed to do.
 If I've made an error, whack me with a clue stick.

Comment 5 Bug Zapper 2008-04-04 06:10:51 UTC
Fedora apologizes that these issues have not been resolved yet. We're
sorry it's taken so long for your bug to be properly triaged and acted
on. We appreciate the time you took to report this issue and want to
make sure no important bugs slip through the cracks.

If you're currently running a version of Fedora Core between 1 and 6,
please note that Fedora no longer maintains these releases. We strongly
encourage you to upgrade to a current Fedora release. In order to
refocus our efforts as a project we are flagging all of the open bugs
for releases which are no longer maintained and closing them.
http://fedoraproject.org/wiki/LifeCycle/EOL

If this bug is still open against Fedora Core 1 through 6, thirty days
from now, it will be closed 'WONTFIX'. If you can reporduce this bug in
the latest Fedora version, please change to the respective version. If
you are unable to do this, please add a comment to this bug requesting
the change.

Thanks for your help, and we apologize again that we haven't handled
these issues to this point.

The process we are following is outlined here:
http://fedoraproject.org/wiki/BugZappers/F9CleanUp

We will be following the process here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping to ensure this
doesn't happen again.

And if you'd like to join the bug triage team to help make things
better, check out http://fedoraproject.org/wiki/BugZappers

Comment 6 Jerry James 2008-04-04 15:10:41 UTC
This was solved long ago as indicated in Comment #3.


Note You need to log in before you can comment on or make changes to this bug.