Bug 457043 - SELinux prevented the gss daemon from reading unprivileged user temporary files.
SELinux prevented the gss daemon from reading unprivileged user temporary files.
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
Depends On:
  Show dependency treegraph
Reported: 2008-07-29 08:31 EDT by Louis Lagendijk
Modified: 2008-11-17 17:05 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-11-17 17:05:18 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Louis Lagendijk 2008-07-29 08:31:25 EDT
Description of problem:
At regular intervals I receive the error message:

SELinux prevented the gss daemon from reading unprivileged user temporary files. 

Setroubleshoot deamon reports that the error can be fixed by:
setsebool -P allow_gssd_read_tmp=1
This does not help.
getsebool allow_gssd_read_tmp
reports:allow_gssd_read_tmp --> on

Version-Release number of selected component (if applicable):

How reproducible:
Appears to be random. I have not yet found a way to reproduce the error. It does
however appear a number of times a day
Actual results:
error message + popup fro setroubleshoot deamon

Expected results:
No error messages

Additional info:
Comment 1 Louis Lagendijk 2008-07-29 08:33:44 EDT
I have a setup running with NFS4 and Kerberos. The following additional
information is reported:
Source Context:  system_u:system_r:gssd_t:s0Target
Context:  unconfined_u:object_r:user_tmp_t:s0Target
Objects:  ./krb5cc_501_CNkzep [ file ]Source:  rpc.gssdSource
Path:  /usr/sbin/rpc.gssdPort:  <Unknown>Host:  travel.pheasantSource RPM
Packages:  nfs-utils-1.1.2-2.fc9Target RPM Packages:  Policy
RPM:  selinux-policy-3.3.1-79.fc9Selinux Enabled:  TruePolicy Type:  targetedMLS
Enabled:  TrueEnforcing Mode:  EnforcingPlugin Name:  allow_gssd_read_tmpHost
Name:  travel.pheasantPlatform:  Linux travel.pheasant
#1 SMP Mon Jul 21 01:09:10 EDT 2008 x86_64 x86_64Alert Count:  7First Seen:  Tue
29 Jul 2008 09:26:27 AM CESTLast Seen:  Tue 29 Jul 2008 02:19:40 PM CESTLocal
ID:  ab7e7fb7-f0f5-474b-9f19-7cde81979ec7Line Numbers:  Raw Audit Messages
:host=travel.pheasant type=AVC msg=audit(1217333980.885:83): avc: denied { write
} for pid=2380 comm="rpc.gssd" name="krb5cc_501_CNkzep" dev=dm-1 ino=24607
tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file host=travel.pheasant
type=SYSCALL msg=audit(1217333980.885:83): arch=c000003e syscall=2 success=no
exit=-13 a0=7fffcfec2520 a1=2 a2=180 a3=0 items=0 ppid=1 pid=2380
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=501 egid=0 sgid=0 fsgid=0
tty=(none) ses=4294967295 comm="rpc.gssd" exe="/usr/sbin/rpc.gssd"
subj=system_u:system_r:gssd_t:s0 key=(null) 

Userid 501 is the one curently logged on to the Gnome desktop
Comment 2 Daniel Walsh 2008-07-29 11:02:45 EDT
Does everything seem to be working correctly?  

I believe this is just the kerberos library doing wacky stuff.  It checks
whether the process as WRITE access to all files, and this would generate the
AVC even though the rpc never tried to actually write to the file.  So we can
dontaudit the access.
Comment 3 Daniel Walsh 2008-07-29 11:32:50 EDT
You can allow this for now.

# audit2allow -M mypol -l -i /var/log/audit/audit.log
# semodule -i mypol.pp

Fixed in selinux-policy-3.3.1-81.fc9.noarch
Comment 4 Louis Lagendijk 2008-07-29 11:44:35 EDT
Applied, thanks for the prompt reply. I am really impressed.
I was mainly worried about the fact that the recommended solution (set
allow_gssd_read_tmp) did not work.
Comment 5 Louis Lagendijk 2008-09-17 14:49:39 EDT
Just this week I got around to removing my local policy, as I have version 3.3.1-87.fc9 installed. I now have the alerts back. Is the fix really included in the latest policy? The changelog does not mention the fix, so it seems to have got lost?
Comment 6 Daniel Walsh 2008-09-18 16:47:02 EDT
Nope there was a bug

Fixed in selinux-policy-3.3.1-92.fc9.noarch
Comment 7 Daniel Walsh 2008-11-17 17:05:18 EST
Closing all bugs that have been in modified for over a month.  Please reopen if the bug is not actually fixed.

Note You need to log in before you can comment on or make changes to this bug.