Re: C 7, selinux, and rpc.gssd

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 05/18/2018 04:37 PM, m.roth@xxxxxxxxx wrote:
> Lukas Vrabec <lvrabec@xxxxxxxxxx> wrote:
>> On 05/17/2018 09:12 PM, m.roth@xxxxxxxxx wrote:
>>>     As systems are upgraded, we're getting a ton of complaints
>>> (fortunately, we're in permissive mode) that would break everything.
>>> All of them involve rpc.gssd, and I see a number of bugs listed when I
>>> search.
>>>
>>>     Note that I first saw this on a RHEL system, but now I'm seeing it on
>>> CentOS 7. I'm bringing it up here, because, given that there are
>>> multiple reported, that there's some bigger picture involving policy
>>> and rpc.gssd.
>>>
>>>     I'll note that some of the reported bugs were *closed last year, or
>>> before, so it seems to me an old issue resurfaced.
>>>
>>> Example.
>>> SELinux is preventing /usr/sbin/rpc.gssd from using the block_suspend
>>> capability.
>>
>> While you won't send any logs, I'm not able to help you, but based on
>> our example, it looks like kernel bug affecting SELinux. Solution is to
>> dontaudit this SELinux denial.
>>
>> Also, what version of Centos 7 are you using? Centos 7.5?
>>
> One system is
> LSB Version:	:core-4.1-amd64:core-4.1-noarch
> Distributor ID:	RedHatEnterpriseWorkstation
> Description:	Red Hat Enterprise Linux Workstation release 7.5 (Maipo)
> Release:	7.5
> Codename:	Maipo
> 
> Another is
> LSB Version:	:core-4.1-amd64:core-4.1-noarch
> Distributor ID:	CentOS
> Description:	CentOS Linux release 7.5.1804 (Core)
> Release:	7.5.1804
> Codename:	Core
> 
> What logs do you usually want, the results of running sealert? From that,
> I see, on the CentOS 7.5 system:
> excerpt:
> Raw Audit Messages
> type=AVC msg=audit(1526626994.989:9622): avc:  denied  { block_suspend }
> for  pid=901 comm="rpc.gssd" capability=36 
> scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:system_r:gssd_t:s0
> tclass=capability2
> 
> And on the RHEL system:
> Raw Audit Messages
> type=AVC msg=audit(1526626926.76:162255): avc:  denied  { block_suspend }
> for  pid=1218 comm="rpc.gssd" capability=36 
> scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:system_r:gssd_t:s0
> tclass=capability2
> 
> So, same policy, and same denials. Note that the RHEL system is set for
> enforcing, while the CentOS system is permissive.
> 
>        mark
> 


Hi Mark,

Workaround from my previous mail should fix your issue.

Lukas.

-- 
Lukas Vrabec
Software Engineer, Security Technologies
Red Hat, Inc.

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx/message/Y4FATBNSP66TFS3IEM75ACFD6DZ5X65F/

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux