Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 157946 - nfsv4 kerberos fails with enforcing on
Summary: nfsv4 kerberos fails with enforcing on
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 4
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-05-17 11:54 UTC by Michael Young
Modified: 2007-11-30 22:11 UTC (History)
0 users

Fixed In Version: 1.25.4-10.1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-09-15 15:56:01 UTC


Attachments (Terms of Use)

Description Michael Young 2005-05-17 11:54:11 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050512 Fedora/1.0.4-2 Firefox/1.0.4

Description of problem:
With enforcing on, the mount
mount -t nfs4 -o sec=krb5,ro host:/path/to/mount /mnt/mnt
hangs with errors like
May 17 12:25:25 xxx rpc.gssd[1891]: ERROR: can't open clnt0/info: Permission denied
May 17 12:25:25 xxx rpc.gssd[1891]: ERROR: failed to read service info
May 17 12:25:25 xxx kernel: audit(1116329125.396:0): avc:  denied  { read } for  name=info dev=rpc_pipefs ino=2 scontext=system_u:system_r:gssd_t tcontext=system_u:object_r:rpc_pipefs_t tclass=file

With enforcing off it works with warnings

May 17 12:44:38 xxx kernel: audit(1116330278.901:0): avc:  denied  { read } for  name=info dev=rpc_pipefs ino=2 scontext=system_u:system_r:gssd_t tcontext=system_u:object_r:rpc_pipefs_t tclass=file
May 17 12:44:39 xxx kernel: audit(1116330279.045:0): avc:  denied  { setuid } for  capability=7 scontext=system_u:system_r:gssd_t tcontext=system_u:system_r:gssd_t tclass=capability

The file in question is /var/lib/nfs/rpc_pipefs/nfs/clnt0/info (clnt1-clnt3 at least are also possible).

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.23.14-2

How reproducible:
Always

Steps to Reproduce:
1. Try the above mount command

Additional info:

Comment 1 Daniel Walsh 2005-05-18 11:42:08 UTC
Do you have any idea what executable it is trying to run that is setuid?

Dan

Comment 2 Michael Young 2005-05-18 14:48:44 UTC
There are 3 processes involved, the mount command, and the daemons rpc.idmapd
and rpc.gssd . From an strace of rpc.gssd while the mount command was run I can
see the call (in permissive mode)
setresuid32(-1,0,-1)=0
probably in utils/gssd/gssd_proc.c in the nfs-utils package if you want to look
at the code.

Comment 3 Daniel Walsh 2005-05-18 15:05:31 UTC
Fixed in selinux-policy-*-1.23.16-3



Note You need to log in before you can comment on or make changes to this bug.