Bug 1156092

Summary: [RFE] LDAP Authentication needs SELinux context to be set properly in order to function.
Product: Red Hat Satellite Reporter: Michael J. Ayers <ayersmj>
Component: Docs Install GuideAssignee: Peter Ondrejka <pondrejk>
Status: CLOSED CURRENTRELEASE QA Contact: Adam Strong <adstrong>
Severity: medium Docs Contact: David O'Brien <daobrien>
Priority: unspecified    
Version: UnspecifiedCC: ayersmj, daobrien, hhudgeon
Target Milestone: UnspecifiedKeywords: FutureFeature
Target Release: Unused   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-08-12 11:51:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Michael J. Ayers 2014-10-23 14:28:32 UTC 
Document URL: https://access.redhat.com/documentation/en-US/Red_Hat_Satellite/6.0/html/Installation_Guide/index.html

Section Number and Name: 3.3. Configuring LDAP Authentication for Red Hat Satellite

Describe the issue: SELinux can prevent outgoing connections in RHEL 7 of certain types.  With out the proper SEBool setting LDAP authentication will never work and debugging it is difficult due to the nature of the failure in Foreman.  This can happen by default if you do a minimal RHEL install and then expand it later to support running Satellite.

Suggestions for improvement: Add a note to section 3.3 that informs the reader that setting the SELinux SEBool will allow outgoing LDAP requests.


Additional information: The denials in the /var/log/audit/audit.log look like this:

type=AVC msg=audit(1414013923.072:498): avc:  denied  { name_connect } for  pid=3341 comm="ruby" dest=389 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket

Dumping those through and audit2allow -m gives the following:

[root@satellite ~]# grep denied /var/log/audit/audit.log | grep ruby | audit2allow -m selinux-foreman-ldap

module selinux-foreman-ldap 1.0;

require {
        type ldap_port_t;
        type passenger_t;
        class tcp_socket name_connect;
}

#============= passenger_t ==============

#!!!! This avc can be allowed using one of the these booleans:
#     nis_enabled, authlogin_nsswitch_use_ldap, passenger_can_connect_all
allow passenger_t ldap_port_t:tcp_socket name_connect;

My suggestion would be to set authlogin_nsswitch_use_ldap = 1 by executing the following:

[root@satellite ~]# setsebool authlogin_nsswitch_use_ldap=1
Comment 1 RHEL Program Management 2014-10-23 14:43:01 UTC 
Since this issue was entered in Red Hat Bugzilla, the release flag has been
set to ? to ensure that it is properly evaluated for this release.
Comment 4 RHEL Program Management 2015-04-21 16:09:36 UTC 
Since this issue was entered in Red Hat Bugzilla, the release flag has been
set to ? to ensure that it is properly evaluated for this release.
Comment 9 David O'Brien 2015-08-25 22:05:23 UTC 
this is not rel note material.