704261 – avc: denied { getattr } for pid=1142 comm="rpc.gssd" path="/tmp/krb5cc_1744_Gfgmsi1529" dev=tmpfs ino=13247 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:sshd_tmp_t:s0 tclass=file

Bug 704261 - avc: denied { getattr } for pid=1142 comm="rpc.gssd" path="/tmp/krb5cc_1744_Gfgmsi1529" dev=tmpfs ino=13247 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:sshd_tmp_t:s0 tclass=file

Summary: avc: denied { getattr } for pid=1142 comm="rpc.gssd" path="/tmp/krb5cc_174...

Keywords:
Status:	CLOSED NEXTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Daniel Walsh
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-05-12 15:40 UTC by Orion Poplawski
Modified:	2011-05-13 08:54 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-05-13 08:54:24 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Orion Poplawski 2011-05-12 15:40:47 UTC

Description of problem:

I'm using ssh kerberos ticket forwarding. rpc.gssd is not able to read my kerberos ticket cache:

type=AVC msg=audit(1305214340.580:25): avc:  denied  { getattr } for  pid=1142 comm="rpc.gssd" path="/tmp/krb5cc_1744_Gfgmsi1529" dev=tmpfs ino=13247 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:sshd_tmp_t:s0 tclass=file

[root@vmsl6 ~]# getsebool -a | grep gss
allow_gssd_read_tmp --> on
[root@vmsl6 ~]# restorecon -r -v /tmp

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-54.el6_0.5.noarch

If I run kinit, the new ticket cache gets created with user_tmp_t permissions and everything works.

Comment 2 Miroslav Grepl 2011-05-12 16:28:33 UTC

This should be fixed in the latest RHEL6 policy. 

http://people.redhat.com/dwalsh/SELinux/RHEL6/noarch/

Comment 3 Orion Poplawski 2011-05-12 17:07:45 UTC

Confirmed.  Files get created with user_tmp_t:

-rw-------. orion cora unconfined_u:object_r:user_tmp_t:s0 krb5cc_1744_wMvNpY4397

Thanks.

Comment 4 RHEL Program Management 2011-05-13 06:00:52 UTC

Since RHEL 6.1 External Beta has begun, and this bug remains
unresolved, it has been rejected as it is not proposed as
exception or blocker.

Red Hat invites you to ask your support representative to
propose this request, if appropriate and relevant, in the
next release of Red Hat Enterprise Linux.

Comment 5 Miroslav Grepl 2011-05-13 08:54:24 UTC

Great.

Note You need to log in before you can comment on or make changes to this bug.