From: jason@perfinion.com (Jason Zaman)
Date: Sat, 12 Jul 2014 14:41:20 +0400
Subject: [refpolicy] Kerberized NFS
Message-ID: <20140712104048.GA22561@pippin.Home>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hi,

I use kerberized NFS and there are some issues in the policy. The
problem stems from caching the nfs ticket. When I run in permissive
mode, I kinit and klist shows the krbtgt as usual. When I then ls the
nfs dir i get a second ticket: nfs/hostname.perfinion.com at PERFINION.COM
and everything is fine and responsive.

When I run with enforcing mode I do not get that second ticket and i get
the following denial:

{ write } for  pid=22323 comm="rpc.gssd" path="/tmp/krb5cc_1000" dev="tmpfs"
ino=3528734 scontext=system_u:system_r:gssd_t
tcontext=staff_u:object_r:user_tmp_t tclass=file

and the second ticket never shows up in klist. This means that every
single access to the nfs share it has to get a new nfs ticket which adds
a long delay to everything.

I am not that familiar with how the kerberos parts of the policy works
so I thought asking here before sending patches is better.

What should the label be on /tmp/krb5cc_<uid>? The krb5ccmachine file
looks correct but user_tmp_t looks wrong. I found krb5_host_rcache_t in
the policy but that doesnt look right either, that should be server side
not client.

-rw-------.  1 jason users staff_u:object_r:user_tmp_t      1118 Jul 12
13:07 krb5cc_1000
-rw-------.  1 root  root  system_u:object_r:gssd_tmp_t     1207 Jul 12
09:29 krb5ccmachine_PERFINION.COM

Does anyone else use kerberized NFS with selinux and have any additions
to the policy that can be shared?

Thanks,
-- Jason
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 951 bytes
Desc: Digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20140712/ecdb77e9/attachment.bin