From: jason@perfinion.com (Jason Zaman)
Date: Wed, 25 Mar 2015 10:24:44 +0800
Subject: [refpolicy] [PATCH 4/6] rpc: allow setgid capability
In-Reply-To: <1427250286-27053-1-git-send-email-jason@perfinion.com>
References: <1427250286-27053-1-git-send-email-jason@perfinion.com>
Message-ID: <1427250286-27053-4-git-send-email-jason@perfinion.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

rpc.gssd needs to be able to setgid, otherwise using a kerberized nfs
mount fails with permission denied.

errors:
rpc.gssd[22887]: WARNING: unable to drop supplimentary groups!
rpc.gssd[22887]: WARNING: failed to change identity: Operation not permitted

denials:
type=AVC msg=audit(1427206637.030:9956): avc:  denied  { setgid } for
pid=22887 comm="rpc.gssd" capability=6
scontext=system_u:system_r:gssd_t tcontext=system_u:system_r:gssd_t
tclass=capability permissive=0
type=SYSCALL msg=audit(1427206637.030:9956): arch=c000003e syscall=116
success=no exit=-1 a0=0 a1=0 a2=5111a30e20 a3=31fc5672090 items=0
ppid=22763 pid=22887 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=2 comm="rpc.gssd" exe="/usr/sbin/rpc.gssd"
subj=system_u:system_r:gssd_t key=(null)
---
 rpc.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rpc.te b/rpc.te
index e2ea2eb..de897fd 100644
--- a/rpc.te
+++ b/rpc.te
@@ -278,7 +278,7 @@ optional_policy(`
 # GSSD local policy
 #
 
-allow gssd_t self:capability { dac_override dac_read_search setuid sys_nice };
+allow gssd_t self:capability { dac_override dac_read_search setuid setgid sys_nice };
 allow gssd_t self:process { getsched setsched };
 allow gssd_t self:fifo_file rw_fifo_file_perms;
 
-- 
2.0.5