Bug 440685 - AVC denial for RHTS test /kernel/filesystems/nfs/nfs4-krb5
AVC denial for RHTS test /kernel/filesystems/nfs/nfs4-krb5
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
All Linux
low Severity low
: rc
: ---
Assigned To: Daniel Walsh
Depends On:
  Show dependency treegraph
Reported: 2008-04-04 10:17 EDT by Eduard Benes
Modified: 2008-05-21 12:43 EDT (History)
0 users

See Also:
Fixed In Version: RHBA-2008-0465
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-05-21 12:43:30 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Eduard Benes 2008-04-04 10:17:20 EDT
Description of problem:
Running RHTS test /kernel/filesystems/nfs/nfs4-krb5 produces following AVC 

Policy version:
  selinux-policy 	2.4.6 	126.el5

/sbin/ausearch -sv no -m AVC -m USER_AVC -m SELINUX_ERR -ts 4/3/2008 16:36:36
time->Thu Apr  3 16:36:44 2008
type=SYSCALL msg=audit(1207255004.191:1789): arch=14 syscall=5 success=no exit=-
13 a0=8037160 a1=4c2 a2=180 a3=0 items=0 ppid=1 pid=15479 auid=4294967295 uid=0 
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 
comm="rpc.gssd" exe="/usr/sbin/rpc.gssd" subj=system_u:system_r:gssd_t:s0 
type=AVC msg=audit(1207255004.191:1789): avc:  denied  { write } for  pid=15479 
comm="rpc.gssd" name="coolkey" dev=dm-0 ino=15204776 
scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:auth_cache_t:s0 

# audit2allow < /tmp/log 

#============= gssd_t ==============
allow gssd_t auth_cache_t:dir write;

# sesearch --all -s gssd_t -t auth_cache_t 
Found 2 av rules:
   allow gssd_t auth_cache_t : file { ioctl read getattr lock }; 
   allow gssd_t auth_cache_t : dir { getattr search };
Comment 1 Daniel Walsh 2008-04-06 07:19:40 EDT
What is gssd_t writing into the coolkey directory,  Are you authenticating using
Comment 2 Daniel Walsh 2008-04-07 22:13:20 EDT
Fixed in selinux-policy-2.4.6-128.el5
Comment 7 Daniel Walsh 2008-04-14 10:58:02 EDT
Change from read/write to manage

Fixed in selinux-policy-2.4.6-131.el5	
Comment 11 errata-xmlrpc 2008-05-21 12:43:30 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.