Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1512128 - Selinux prevents rpc.gssd and sshd from talking to the new SSSD kerberos key store [NEEDINFO]
Summary: Selinux prevents rpc.gssd and sshd from talking to the new SSSD kerberos key ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 27
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-11-10 22:43 UTC by Jason Tibbitts
Modified: 2017-11-20 16:55 UTC (History)
6 users (show)

Fixed In Version: selinux-policy-3.13.1-283.16.fc27
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-11-20 16:55:37 UTC
lslebodn: needinfo? (lvrabec)


Attachments (Terms of Use)

Description Jason Tibbitts 2017-11-10 22:43:40 UTC
I'm doing some testing of F27 and have found that a combination of the new SSSD KCM feature and the selinux policy is breaking kerberized client NFS.  (Not sure about server NFS at this time but I would expect it to have similar problems.)

The only AVC in the audit log:

avc:  denied  { write } for  pid=1269 comm="rpc.gssd" name=".heim_org.h5l.kcm-socket" dev="tmpfs" ino=22250 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:sssd_var_run_t:s0 tclass=sock_file permissive=1

(There are no other AVCs at all, but the system is still mostly unconfigured.)

Disabling selinux makes things work immediately, and does not result in any additional AVCs.

Comment 1 Jason Tibbitts 2017-11-10 22:59:21 UTC
Also, this is with current F27 updates-testing:

selinux-policy-3.13.1-283.14.fc27.noarch
sssd-1.16.0-2.fc27.x86_64
sssd-kcm-1.16.0-2.fc27.x86_64
nfs-utils-2.1.1-6.rc5.fc27.x86_64
gssproxy-0.7.0-12.fc27.x86_64
kernel-4.13.12-300.fc27.x86_64

Looking at the changelog for 283.15, I don't see anything which looks related but I will certainly try it out when it hits the repos.

Comment 2 Lukas Slebodnik 2017-11-13 14:17:27 UTC
I cannot see a problem why it should not be allowed.

Jasson,
is that only AVC which you can see in permissive mode?

if yes; then you can use custom policy for now.

sh# echo "(allow gssd_t sssd_var_run_t (sock_file (write)))" > /tmp/gssd-kcm.cil 
sh# semodule -i /tmp/gssd-kcm.cil
sh# rm -f /tmp/gssd-kcm.cil

Comment 3 Lukas Slebodnik 2017-11-13 14:19:47 UTC
Lukas,

I think we might introduce new macro to make it more clear what is a purpose.
because following line does not look nice to me:
   sssd_run_stream_connect(gssd_t)

maybe can_use_kerberos_kcm(gssd_t) ?

Comment 4 Jason Tibbitts 2017-11-13 21:23:32 UTC
That is indeed the only AVC that is seen in permissive mode.  So far I've just been using the result of audit2allow:

allow gssd_t sssd_var_run_t:sock_file write;

which seems semantically the same as what you suggest.  (Usually I use audit2allow -M whatever and then tell ansible to do semodule -i whatever.pp, but I'm hoping this can be fixed up officially before I have to go that far.)

Comment 5 Lukas Slebodnik 2017-11-15 10:57:01 UTC
(In reply to Jason Tibbitts from comment #4)
> That is indeed the only AVC that is seen in permissive mode.  So far I've
> just been using the result of audit2allow:
> 
> allow gssd_t sssd_var_run_t:sock_file write;
> 

That's equivalent of using gssd-kcm.cil.

> which seems semantically the same as what you suggest.  (Usually I use
> audit2allow -M whatever and then tell ansible to do semodule -i whatever.pp,
> but I'm hoping this can be fixed up officially before I have to go that far.)

Thank you very much for running in enforcing mode.
I'll try to contribute patch very soon.

Comment 6 Jason Tibbitts 2017-11-15 17:28:46 UTC
I'm not sure if this warrants a separate bug, but I happened to notice another AVC related to the SSSD KCM:

type=AVC msg=audit(1510696913.427:3141): avc:  denied  { write } for  pid=25547 comm="sshd" name=".heim_org.h5l.kcm-socket" dev="tmpfs" ino=22056 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_var_run_t:s0 tclass=sock_file permissive=0

I believe this happens when a user logs in via SSH using GSSAPI auth.  It does appear to forward the credentials OK (and store them in the KCM) so I'm not sure what, if anything, is broken by this.

I suspect there are several other KCM-related selinux issues around.  I'm not sure if the full set of things which will talk to it has been audited.  However, the can_use_kerberos_kcm() macro proposed earlier does make a good bit of sense.  (To me, at least.)

Comment 7 Jason Tibbitts 2017-11-15 18:52:12 UTC
An update: the above AVC for sshd_t writing to sshd_var_run_t does prevent sshd from creating the credential cache for the user.  So if I have no existing ccache on the machine, I can't log in via ssh because my home directory can't be mounted.

Even in permissive mode, there's just the one AVC.  I'll add it to my local overrides.

Comment 8 Fedora Update System 2017-11-16 15:10:43 UTC
selinux-policy-3.13.1-283.16.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-5178e6a393

Comment 9 Fedora Update System 2017-11-17 18:55:24 UTC
selinux-policy-3.13.1-283.16.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-5178e6a393

Comment 10 Fedora Update System 2017-11-20 16:55:37 UTC
selinux-policy-3.13.1-283.16.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.