This SELinux denial is strange as it does not happen on my x86_64 laptop with SSSD enabled, only the i686 one. This occurs when, using autofs, I attempt to connect to a Kerberos-enabled (sec=krb5p) NFSv4 mount. Also, all files under /var/lib/sss are already labeled with sssd_var_lib_t. no change after relabeling the whole system. I've included the additional details. Source Context system_u:system_r:gssd_t:s0 Target Context system_u:object_r:sssd_var_lib_t:s0 Target Objects kdcinfo.MESSINET.COM [ file ] Source rpc.gssd Source Path /usr/sbin/rpc.gssd Port <Unknown> Host mobile-ws2.chicago.messinet.com Source RPM Packages nfs-utils-1.2.1-4.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-66.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name mobile-ws2.chicago.messinet.com Platform Linux mobile-ws2.chicago.messinet.com 2.6.31.9-174.fc12.i686.PAE #1 SMP Mon Dec 21 06:04:56 UTC 2009 i686 i686 Alert Count 7 First Seen Mon Jan 18 13:16:09 2010 Last Seen Mon Jan 18 16:38:50 2010 Local ID 21dce5d8-1d7c-4c86-bb4b-3cd550a372f3 Line Numbers Raw Audit Messages node=mobile-ws2.chicago.messinet.com type=AVC msg=audit(1263854330.102:22235): avc: denied { read } for pid=1014 comm="rpc.gssd" name="kdcinfo.MESSINET.COM" dev=dm-2 ino=134623 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file node=mobile-ws2.chicago.messinet.com type=SYSCALL msg=audit(1263854330.102:22235): arch=40000003 syscall=5 success=no exit=-13 a0=b77b7418 a1=8000 a2=0 a3=b77b55d0 items=0 ppid=1 pid=1014 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=503 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.gssd" exe="/usr/sbin/rpc.gssd" subj=system_u:system_r:gssd_t:s0 key=(null)
Is there any reason rpc.gssd would be reading content in /var/lib/rpc.gssd? Other domains that will need this access?
kdcinfo.MESSINET.COM is under /var/lib/sss/pubconf and it is used by krb5 libraries when sssd is installed, as sssd drops in a locator plugin. Every process that uses krb5 libraries should be enabled to read /var/lib/sss/pubconf Just like every process that is allowed to call getpwnam() should be allowed to access /var/lib/sss/pipes/nss
Created attachment 385426 [details] Patch to allow kerberos apps to read files in /var/lib/sssd/pubconf Miroslav can you add this patch to F12?
Fixed in selinux-policy-3.6.32-72.fc12.noarch
selinux-policy-3.6.32-73.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-73.fc12
selinux-policy-3.6.32-73.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-0858
Fix confirmed with: selinux-policy-targeted-3.6.32-73.fc12.noarch
(In reply to comment #7) > Fix confirmed with: selinux-policy-targeted-3.6.32-73.fc12.noarch I must apologize for closing early... With the above mentioned version (on i686, not x86_64), the error changes to: node=mobile-ws2.chicago.messinet.com type=AVC msg=audit(1264115946.257:31): avc: denied { search } for pid=1013 comm="rpc.gssd" name="pubconf" dev=dm-2 ino=135228 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=dir node=mobile-ws2.chicago.messinet.com type=SYSCALL msg=audit(1264115946.257:31): arch=40000003 syscall=5 success=no exit=-13 a0=1b9d498 a1=8000 a2=0 a3=1bbc008 items=0 ppid=1 pid=1013 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=503 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.gssd" exe="/usr/sbin/rpc.gssd" subj=system_u:system_r:gssd_t:s0 key=(null) ~]# grep pubconf /var/log/audit/audit.log | audit2allow #============= gssd_t ============== allow gssd_t sssd_public_t:dir search;
(In reply to comment #8) > ~]# grep pubconf /var/log/audit/audit.log | audit2allow > > > #============= gssd_t ============== > allow gssd_t sssd_public_t:dir search; After putting in that temporary policy fix, I'm back to the original bug report: node=mobile-ws2.chicago.messinet.com type=AVC msg=audit(1264117543.316:49): avc: denied { read } for pid=1013 comm="rpc.gssd" name="kdcinfo.MESSINET.COM" dev=dm-2 ino=134623 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file node=mobile-ws2.chicago.messinet.com type=SYSCALL msg=audit(1264117543.316:49): arch=40000003 syscall=5 success=no exit=-13 a0=1bbca38 a1=8000 a2=0 a3=1bbc6b8 items=0 ppid=1 pid=1013 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=503 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc.gssd" exe="/usr/sbin/rpc.gssd" subj=system_u:system_r:gssd_t:s0 key=(null)
Karma updated.
Miroslav, gssd_read_config_files() Needs to be removed from kerberos_use()
Fixed in selinux-policy-3.6.32-76.fc12.noarch
selinux-policy-3.6.32-73.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.