Re: C 7, selinux, and rpc.gssd

Lukas Vrabec <lvrabec@xxxxxxxxxx> · Fri, 18 May 2018 00:36:23 +0200

On 05/17/2018 09:12 PM, m.roth@xxxxxxxxx wrote:
> Folks,
> 
>     As systems are upgraded, we're getting a ton of complaints
> (fortunately, we're in permissive mode) that would break everything.
> All of them involve rpc.gssd, and I see a number of bugs listed when I
> search.
> 
>     Note that I first saw this on a RHEL system, but now I'm seeing it on
> CentOS 7. I'm bringing it up here, because, given that there are
> multiple reported, that there's some bigger picture involving policy
> and rpc.gssd.
> 
>     I'll note that some of the reported bugs were *closed last year, or
> before, so it seems to me an old issue resurfaced.
> 
> Example.
> SELinux is preventing /usr/sbin/rpc.gssd from using the block_suspend
> capability.
> 

Hi Mark,

While you won't send any logs, I'm not able to help you, but based on
our example, it looks like kernel bug affecting SELinux. Solution is to
dontaudit this SELinux denial.

Also, what version of Centos 7 are you using? Centos 7.5?

To fix block_suspend issue please follow these steps:

# yum install -y selinux-policy-devel
# cat << EOF > local_gssd_block_suspend.te
module local_gssd_block_suspend 1.0;

require {
	type gssd_t;
	class capability2 block_suspend;
}

#============= gssd_t ==============
dontaudit gssd_t self:capability2 block_suspend;
EOF

# make -f /usr/share/selinux/devel/Makefile local_gssd_block_suspend.pp
# semodule -i local_gssd_block_suspend.pp

Lukas.

>     mark
> _______________________________________________
> selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx/message/6BOREIRXRQF2KAMZKHN5IAHDFT47U7LA/
> 

-- 
Lukas Vrabec
Software Engineer, Security Technologies
Red Hat, Inc.

Attachment:
signature.asc

Description: OpenPGP digital signature
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx/message/MCOYHX7UZJAYY73AVFW2U7YCEKGTZYWG/