On Fri, 2017-03-31 at 20:39 +0200, Rob Verduijn wrote:
In that case a workaround should not be so difficult :-)
lets fire up ausearch
I do not know if it shouws up in the audit log becauxe this is a decision made by libc based on the AT_SECURE flag that is set in the process based on selinux policies. So technically there isn't a violation happening.
In bz#1174915 there is a similar issue and the solution there was to add this to the policy: allow NetworkManager_t openvpn_t:process { noatsecure };
I am not sure what would be the policy in rpc.gssd case, perhaps something like: allow init_t gssd_t:process { noatsecure }; ?
Simo.
Rob.
2017-03-31 19:02 GMT+02:00 Simo Sorce simo@redhat.com:
Good news Rob, apparently it ended up being a SELinux policy issue, see: https://bugzilla.redhat.com/show_bug.cgi?id=1430963
Simo.
On Tue, 2017-03-28 at 17:44 +0200, Rob Verduijn wrote:
I guess this has low priority for the nfs devs.
Any workaround for this that does not require creating a service account
in
ipa ?
Rob Verduijn
2017-03-10 12:37 GMT+01:00 Rob Verduijn rob.verduijn@gmail.com:
Cool...this thing was driving me nuts
Looking forward to the patch.
Rob
2017-03-10 2:14 GMT+01:00 Robbie Harwood rharwood@redhat.com:
Rob Verduijn rob.verduijn@gmail.com writes:
I've tried quite a lot of things (including the very latest version
0.7.0
of gssproxy) but I keep failing to get it to work on fedora25.
So in a last ditch attempt I created a reproducer in the form of a
vagrant
script that creates a test environment that has the problem.
Hi Rob,
Thanks for the (maximally) detailed reproducer. I was able to observe the issue on my end. I observed that GSS_USE_PROXY=yes is indeed set
in
rpc.gssd's environment. gssproxy isn't logging anything because it never gets invoked. rpc.gssd has broken the environment variable
which
we check using secure_getenv().
I've opened https://bugzilla.redhat.com/show_bug.cgi?id=1430963 for
this
issue.
--Robbie
gss-proxy mailing list -- gss-proxy@lists.fedorahosted.org To unsubscribe send an email to gss-proxy-leave@lists.fedorahosted.org
-- Simo Sorce * Red Hat, Inc * New York _______________________________________________ gss-proxy mailing list -- gss-proxy@lists.fedorahosted.org To unsubscribe send an email to gss-proxy-leave@lists.fedorahosted.org
gss-proxy mailing list -- gss-proxy@lists.fedorahosted.org To unsubscribe send an email to gss-proxy-leave@lists.fedorahosted.org