Fedora Account System
Red Hat Associate
Red Hat Customer
Based on an IRC discussion with Simo Sorce, the gssproxy-related SElinux policy will need to allow rpc.gssd (and perhaps other nfs-related daemons) to access the gssproxy socket(s). The following AVCs are reported currently when rpc.gssd attempts to contact gssproxy via the new default nfs socket, /run/gssproxy.sock: type=1400 audit(1371159191.236:3): avc: denied { write } for pid=337 comm="rpc.gssd" name="gssproxy.sock" dev="tmpfs" ino=13841 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:gssproxy_var_run_t:s0 tclass=sock_file type=1400 audit(1371159191.236:4): avc: denied { connectto } for pid=337 comm="rpc.gssd" path="/run/gssproxy.sock" scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 tclass=unix_stream_socket Running: selinux-policy-targeted-3.12.1-51.fc19.noarch gssproxy-0.2.3-5.fc19.x86_64 nfs-utils-1.2.8-2.0.fc19.x86_64 See also Bug #969512
edf5847a075a80de961c0a4aed4158733c18bc06 fixes this in git.
On an NFS client, it appears that rpc.gssd will also need write access to /var/lib/gssproxy/default.sock as per the updated default configuration. avc: denied { write } for pid=355 comm="rpc.gssd" name="default.sock" dev="sda2" ino=1179659 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:gssproxy_var_lib_t:s0 tclass=sock_file
Upon further discussion with Simo Sorce on IRC, gssproxy currently uses the configured euid and socket to figure out which type of service ticket to process. This means that sysadmins will need to be able to define potentially arbitrary socket locations to distinguish between gssproxy configurations that run under the same euid. Perhaps it would be best to create a type "gssproxy_socket_t" with all the proper permissions {connectto,read,write,...} for services that use the sockets. For now and by default, the following socket locations should be labeled with "gssproxy_socket_t": /var/run/gssproxy.sock /var/lib/gssproxy/default.sock Right now, rpc.gssd needs /var/lib/gssproxy/default.sock and the kernel nfsd uses /var/run/gssproxy.sock As additional services are gssproxy-enabled, the default SELinux policy could add them to this label type, or sysadmins could manually add file contexts to their custom-located sockets to ensure proper gssproxy/SELinux behavior.
selinux-policy-3.12.1-54.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-54.fc19
Package selinux-policy-3.12.1-54.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-54.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-11355/selinux-policy-3.12.1-54.fc19 then log in and leave karma (feedback).
selinux-policy-3.12.1-54.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
Unfortunately, I still receive the following error with selinux-policy-targeted-3.12.1-54.fc19.noarch on the NFS client using gssproxy. avc: denied { write } for pid=341 comm="rpc.gssd" name="default.sock" dev="sda2" ino=1179659 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:gssproxy_var_lib_t:s0 tclass=sock_file
fa2c579df113d0cd249f99cd81c5dba984cb2bf9 fixes this in git, You will be able to communicate with the socket in /var/lib or /var/run.
selinux-policy-3.12.1-59.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-59.fc19
Package selinux-policy-3.12.1-59.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-59.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-12373/selinux-policy-3.12.1-59.fc19 then log in and leave karma (feedback).
(In reply to Fedora Update System from comment #10) > Package selinux-policy-3.12.1-59.fc19: > * should fix your issue, > * was pushed to the Fedora 19 testing repository, > * should be available at your local mirror within two days. > Update it with: > # su -c 'yum update --enablerepo=updates-testing > selinux-policy-3.12.1-59.fc19' > as soon as you are able to. > Please go to the following url: > https://admin.fedoraproject.org/updates/FEDORA-2013-12373/selinux-policy-3. > 12.1-59.fc19 > then log in and leave karma (feedback). selinux-policy-3.12.1-59.fc19 does indeed resolve the SELinux denial with the gssproxy default configured socket at /var/lib/gssproxy/default.sock. Thank you.
selinux-policy-3.12.1-59.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.