On 05/17/2018 09:12 PM, m.roth(a)5-cent.us wrote:
Folks,
As systems are upgraded, we're getting a ton of complaints
(fortunately, we're in permissive mode) that would break everything.
All of them involve rpc.gssd, and I see a number of bugs listed when I
search.
Note that I first saw this on a RHEL system, but now I'm seeing it on
CentOS 7. I'm bringing it up here, because, given that there are
multiple reported, that there's some bigger picture involving policy
and rpc.gssd.
I'll note that some of the reported bugs were *closed last year, or
before, so it seems to me an old issue resurfaced.
Example.
SELinux is preventing /usr/sbin/rpc.gssd from using the block_suspend
capability.
Hi Mark,
While you won't send any logs, I'm not able to help you, but based on
our example, it looks like kernel bug affecting SELinux. Solution is to
dontaudit this SELinux denial.
Also, what version of Centos 7 are you using? Centos 7.5?
To fix block_suspend issue please follow these steps:
# yum install -y selinux-policy-devel
# cat << EOF > local_gssd_block_suspend.te
module local_gssd_block_suspend 1.0;
require {
type gssd_t;
class capability2 block_suspend;
}
#============= gssd_t ==============
dontaudit gssd_t self:capability2 block_suspend;
EOF
# make -f /usr/share/selinux/devel/Makefile local_gssd_block_suspend.pp
# semodule -i local_gssd_block_suspend.pp
Lukas.
mark
_______________________________________________
selinux mailing list -- selinux(a)lists.fedoraproject.org
To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...
--
Lukas Vrabec
Software Engineer, Security Technologies
Red Hat, Inc.