Description of problem: Running RHTS test /kernel/filesystems/nfs/nfs4-krb5 produces following AVC denials. Policy version: selinux-policy 2.4.6 126.el5 /sbin/ausearch -sv no -m AVC -m USER_AVC -m SELINUX_ERR -ts 4/3/2008 16:36:36 ---- time->Thu Apr 3 16:36:44 2008 type=SYSCALL msg=audit(1207255004.191:1789): arch=14 syscall=5 success=no exit=- 13 a0=8037160 a1=4c2 a2=180 a3=0 items=0 ppid=1 pid=15479 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.gssd" exe="/usr/sbin/rpc.gssd" subj=system_u:system_r:gssd_t:s0 key=(null) type=AVC msg=audit(1207255004.191:1789): avc: denied { write } for pid=15479 comm="rpc.gssd" name="coolkey" dev=dm-0 ino=15204776 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:auth_cache_t:s0 tclass=dir # audit2allow < /tmp/log #============= gssd_t ============== allow gssd_t auth_cache_t:dir write; # sesearch --all -s gssd_t -t auth_cache_t Found 2 av rules: allow gssd_t auth_cache_t : file { ioctl read getattr lock }; allow gssd_t auth_cache_t : dir { getattr search };
What is gssd_t writing into the coolkey directory, Are you authenticating using coolkey?
Fixed in selinux-policy-2.4.6-128.el5
Change from read/write to manage Fixed in selinux-policy-2.4.6-131.el5
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2008-0465.html