Bug 1396886

Summary: [rhsc] Nagios + IDA integration fails with avc denied for ldap_port_t
Product: Red Hat Enterprise Linux 7 Reporter: Sweta Anandpara <sanandpa>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED NOTABUG QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: high Docs Contact:
Priority: unspecified    
Version: 7.3CC: lvrabec, mgrepl, mmalik, plautrba, pvrabec, sanandpa, ssekidde, storage-qa-internal
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1396889 (view as bug list) Environment:
Last Closed: 2016-11-22 11:13:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1396889    

Description Sweta Anandpara 2016-11-21 05:31:17 UTC 
Description of problem:
======================
Was following the steps mentioned in the admin guide to integrate nagios and ldap: https://access.redhat.com/documentation/en-US/Red_Hat_Storage/3.1/html-single/Administration_Guide/index.html#Integrating_LDAP_Authentication_with_Nagios

Tried logging in to Nagios web UI using the login credentials of AD users, but that failed with 500: Internal Server Error. Set the selinx policy to permissive and login to nagios web UI was successful. 

Seeing the below error in audit logs:
type=AVC msg=audit(1479359600.477:65770): avc:  denied  { name_connect } f      or  pid=3714 comm="httpd" dest=389 scontext=system_u:system_r:httpd_t:s0 t      context=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket



Version-Release number of selected component (if applicable):
==============================================================
RHGS 3.2 interim build (3.8.4-5)
selinux-policy-targeted-3.13.1-102.el7_3.4.noarch
selinux-policy-3.13.1-102.el7_3.4.noarch



How reproducible:
=================
2:2


Additional info:
================
[root@dhcp46-239 ~]# rpm -qa | grep gluster
nfs-ganesha-gluster-2.3.1-8.el7rhgs.x86_64
glusterfs-api-3.8.4-5.el7rhgs.x86_64
python-gluster-3.8.4-5.el7rhgs.noarch
glusterfs-client-xlators-3.8.4-5.el7rhgs.x86_64
glusterfs-server-3.8.4-5.el7rhgs.x86_64
glusterfs-ganesha-3.8.4-5.el7rhgs.x86_64
gluster-nagios-common-0.2.4-1.el7rhgs.noarch
glusterfs-devel-3.8.4-5.el7rhgs.x86_64
gluster-nagios-addons-0.2.8-1.el7rhgs.x86_64
glusterfs-libs-3.8.4-5.el7rhgs.x86_64
glusterfs-fuse-3.8.4-5.el7rhgs.x86_64
glusterfs-api-devel-3.8.4-5.el7rhgs.x86_64
glusterfs-rdma-3.8.4-5.el7rhgs.x86_64
glusterfs-3.8.4-5.el7rhgs.x86_64
glusterfs-cli-3.8.4-5.el7rhgs.x86_64
glusterfs-geo-replication-3.8.4-5.el7rhgs.x86_64
glusterfs-debuginfo-3.8.4-4.el7rhgs.x86_64
glusterfs-events-3.8.4-5.el7rhgs.x86_64
[root@dhcp46-239 ~]# 
[root@dhcp46-239 ~]# 
[root@dhcp46-239 ~]# gluster peer status
Number of Peers: 3

Hostname: 10.70.46.240
Uuid: 72c4f894-61f7-433e-a546-4ad2d7f0a176
State: Peer in Cluster (Connected)

Hostname: 10.70.46.242
Uuid: 1e8967ae-51b2-4c27-907e-a22a83107fd0
State: Peer in Cluster (Connected)

Hostname: 10.70.46.218
Uuid: 0dea52e0-8c32-4616-8ef8-16db16120eaa
State: Peer in Cluster (Connected)
[root@dhcp46-239 ~]# 
[root@dhcp46-239 ~]# 
[root@dhcp46-239 ~]#
Comment 1 Milos Malik 2016-11-21 10:42:12 UTC 
Does your scenario work after enabling the httpd_can_connect_ldap boolean?
Comment 3 Sweta Anandpara 2016-11-21 12:37:53 UTC 
Yes, after enabling httpd_can_connect_ldap, login to webUI does work using the creds of AD users.
Comment 4 Lukas Vrabec 2016-11-22 11:13:33 UTC 
Thank you for info. 

Closing this issue as NOTABUG, due to fix using boolean.