Auto failes due to rpc.gssd selinux issues
Environment
- Red Hat Enterprise Linux (RHEL) 7.5
- nfs-utils-1.3.0-0.48.el7.x86_64
- selinux-policy-3.13.1-166.el7.noarch
Issue
IPA client automounter is not working on some systems. When we use e.g.:
# ipa automountkey-add default --key "*" --info "-fstype=nfs4,sec=krb5p,rw,soft,intr exampl.example:/home/&" auto.home
-----------------------
Added automount key "*"
-----------------------
Key: *
Mount information: -fstype=nfs4,sec=krb5p,rw,soft,intr exampl.example:/home/&
audit.log is filling up with:
type=AVC msg=audit(1538142587.564:960): avc: denied { write } for pid=1209 comm="rpc.gssd" scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=key
We can workaround it with setenforce 0 or audit2allow or starting /usr/sbin/rpc.gssd by hand instead of using systemctl.
Resolution
Update to selinux-policy-3.13.1-229.el7_6.9 shipped with Advisory RHBA-2019:0192 or newer.
Root Cause
Previously, an allow rule for the gssd_t type was missing in the SELinux policy. As a consequence, SELinux in enforcing mode occasionally prevented processes running as gssd_t from accessing kernel keyrings of other processes and could block for example sec=krb5 mounts. The rule has been added to the policy, and processes running as gssd_t are now able to access keyrings of other processes.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments