Red Hat Bugzilla – Bug 457043
SELinux prevented the gss daemon from reading unprivileged user temporary files.
Last modified: 2008-11-17 17:05:18 EST
Description of problem: At regular intervals I receive the error message: SELinux prevented the gss daemon from reading unprivileged user temporary files. Setroubleshoot deamon reports that the error can be fixed by: setsebool -P allow_gssd_read_tmp=1 This does not help. getsebool allow_gssd_read_tmp reports:allow_gssd_read_tmp --> on Version-Release number of selected component (if applicable): selinux-policy-targeted-3.3.1-79.fc9.noarch How reproducible: Appears to be random. I have not yet found a way to reproduce the error. It does however appear a number of times a day Actual results: error message + popup fro setroubleshoot deamon Expected results: No error messages Additional info:
I have a setup running with NFS4 and Kerberos. The following additional information is reported: Source Context: system_u:system_r:gssd_t:s0Target Context: unconfined_u:object_r:user_tmp_t:s0Target Objects: ./krb5cc_501_CNkzep [ file ]Source: rpc.gssdSource Path: /usr/sbin/rpc.gssdPort: <Unknown>Host: travel.pheasantSource RPM Packages: nfs-utils-1.1.2-2.fc9Target RPM Packages: Policy RPM: selinux-policy-3.3.1-79.fc9Selinux Enabled: TruePolicy Type: targetedMLS Enabled: TrueEnforcing Mode: EnforcingPlugin Name: allow_gssd_read_tmpHost Name: travel.pheasantPlatform: Linux travel.pheasant 2.6.25.11-97.fc9.x86_64 #1 SMP Mon Jul 21 01:09:10 EDT 2008 x86_64 x86_64Alert Count: 7First Seen: Tue 29 Jul 2008 09:26:27 AM CESTLast Seen: Tue 29 Jul 2008 02:19:40 PM CESTLocal ID: ab7e7fb7-f0f5-474b-9f19-7cde81979ec7Line Numbers: Raw Audit Messages :host=travel.pheasant type=AVC msg=audit(1217333980.885:83): avc: denied { write } for pid=2380 comm="rpc.gssd" name="krb5cc_501_CNkzep" dev=dm-1 ino=24607 scontext=system_u:system_r:gssd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file host=travel.pheasant type=SYSCALL msg=audit(1217333980.885:83): arch=c000003e syscall=2 success=no exit=-13 a0=7fffcfec2520 a1=2 a2=180 a3=0 items=0 ppid=1 pid=2380 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=501 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.gssd" exe="/usr/sbin/rpc.gssd" subj=system_u:system_r:gssd_t:s0 key=(null) Userid 501 is the one curently logged on to the Gnome desktop
Does everything seem to be working correctly? I believe this is just the kerberos library doing wacky stuff. It checks whether the process as WRITE access to all files, and this would generate the AVC even though the rpc never tried to actually write to the file. So we can dontaudit the access.
You can allow this for now. # audit2allow -M mypol -l -i /var/log/audit/audit.log # semodule -i mypol.pp Fixed in selinux-policy-3.3.1-81.fc9.noarch
Applied, thanks for the prompt reply. I am really impressed. I was mainly worried about the fact that the recommended solution (set allow_gssd_read_tmp) did not work.
Just this week I got around to removing my local policy, as I have version 3.3.1-87.fc9 installed. I now have the alerts back. Is the fix really included in the latest policy? The changelog does not mention the fix, so it seems to have got lost?
Nope there was a bug Fixed in selinux-policy-3.3.1-92.fc9.noarch
Closing all bugs that have been in modified for over a month. Please reopen if the bug is not actually fixed.