Bug 974581 - SELinux, gssproxy, rpc.gssd
SELinux, gssproxy, rpc.gssd
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
19
x86_64 Linux
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Ben Levenson
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-06-14 09:31 EDT by Anthony Messina
Modified: 2013-07-06 21:33 EDT (History)
2 users (show)

See Also:
Fixed In Version: selinux-policy-3.12.1-59.fc19
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-07-05 00:29:33 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Bugzilla 969512 None None None Never

  None (edit)
Description Anthony Messina 2013-06-14 09:31:47 EDT
Based on an IRC discussion with Simo Sorce, the gssproxy-related SElinux policy will need to allow rpc.gssd (and perhaps other nfs-related daemons) to access the gssproxy socket(s).  The following AVCs are reported currently when rpc.gssd attempts to contact gssproxy via the new default nfs socket, /run/gssproxy.sock:

type=1400 audit(1371159191.236:3): avc:  denied  { write } for  pid=337 comm="rpc.gssd" name="gssproxy.sock" dev="tmpfs" ino=13841 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:gssproxy_var_run_t:s0 tclass=sock_file

type=1400 audit(1371159191.236:4): avc:  denied  { connectto } for  pid=337 comm="rpc.gssd" path="/run/gssproxy.sock" scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 tclass=unix_stream_socket

Running:
selinux-policy-targeted-3.12.1-51.fc19.noarch
gssproxy-0.2.3-5.fc19.x86_64
nfs-utils-1.2.8-2.0.fc19.x86_64

See also Bug #969512
Comment 1 Daniel Walsh 2013-06-15 06:54:17 EDT
edf5847a075a80de961c0a4aed4158733c18bc06 fixes this in git.
Comment 2 Anthony Messina 2013-06-19 13:53:38 EDT
On an NFS client, it appears that rpc.gssd will also need write access to /var/lib/gssproxy/default.sock as per the updated default configuration.

avc:  denied  { write } for  pid=355 comm="rpc.gssd" name="default.sock" dev="sda2" ino=1179659 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:gssproxy_var_lib_t:s0 tclass=sock_file
Comment 3 Anthony Messina 2013-06-19 14:45:47 EDT
Upon further discussion with Simo Sorce on IRC, gssproxy currently uses the configured euid and socket to figure out which type of service ticket to process.  This means that sysadmins will need to be able to define potentially arbitrary socket locations to distinguish between gssproxy configurations that run under the same euid.

Perhaps it would be best to create a type "gssproxy_socket_t" with all the proper permissions {connectto,read,write,...} for services that use the sockets.

For now and by default, the following socket locations should be labeled with "gssproxy_socket_t":

/var/run/gssproxy.sock
/var/lib/gssproxy/default.sock

Right now, rpc.gssd needs /var/lib/gssproxy/default.sock and the kernel nfsd uses /var/run/gssproxy.sock

As additional services are gssproxy-enabled, the default SELinux policy could add them to this label type, or sysadmins could manually add file contexts to their custom-located sockets to ensure proper gssproxy/SELinux behavior.
Comment 4 Fedora Update System 2013-06-19 17:32:27 EDT
selinux-policy-3.12.1-54.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-54.fc19
Comment 5 Fedora Update System 2013-06-20 14:03:03 EDT
Package selinux-policy-3.12.1-54.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-54.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-11355/selinux-policy-3.12.1-54.fc19
then log in and leave karma (feedback).
Comment 6 Fedora Update System 2013-06-23 02:28:01 EDT
selinux-policy-3.12.1-54.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Anthony Messina 2013-07-02 07:10:23 EDT
Unfortunately, I still receive the following error with selinux-policy-targeted-3.12.1-54.fc19.noarch on the NFS client using gssproxy.

avc:  denied  { write } for  pid=341 comm="rpc.gssd" name="default.sock" dev="sda2" ino=1179659 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:gssproxy_var_lib_t:s0 tclass=sock_file
Comment 8 Daniel Walsh 2013-07-02 07:24:41 EDT
fa2c579df113d0cd249f99cd81c5dba984cb2bf9 fixes this in git,

You will be able to communicate with the socket in /var/lib or /var/run.
Comment 9 Fedora Update System 2013-07-03 15:50:23 EDT
selinux-policy-3.12.1-59.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-59.fc19
Comment 10 Fedora Update System 2013-07-04 22:14:03 EDT
Package selinux-policy-3.12.1-59.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-59.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-12373/selinux-policy-3.12.1-59.fc19
then log in and leave karma (feedback).
Comment 11 Anthony Messina 2013-07-05 00:29:33 EDT
(In reply to Fedora Update System from comment #10)
> Package selinux-policy-3.12.1-59.fc19:
> * should fix your issue,
> * was pushed to the Fedora 19 testing repository,
> * should be available at your local mirror within two days.
> Update it with:
> # su -c 'yum update --enablerepo=updates-testing
> selinux-policy-3.12.1-59.fc19'
> as soon as you are able to.
> Please go to the following url:
> https://admin.fedoraproject.org/updates/FEDORA-2013-12373/selinux-policy-3.
> 12.1-59.fc19
> then log in and leave karma (feedback).

selinux-policy-3.12.1-59.fc19 does indeed resolve the SELinux denial with the gssproxy default configured socket at /var/lib/gssproxy/default.sock.  Thank you.
Comment 12 Fedora Update System 2013-07-06 21:33:19 EDT
selinux-policy-3.12.1-59.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.