Bug 1446145

Summary: Selinux prevents freeradius to connect to postgresql
Product: Red Hat Enterprise Linux 7 Reporter: Jaroslav Aster <jaster>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact:
Priority: high    
Version: 7.4CC: jaster, lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde, vmojzis
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-149.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 15:24:23 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Jaroslav Aster 2017-04-27 10:27:05 UTC
Description of problem:

Selinux prevents freeradius to connect to postgresql.


Version-Release number of selected component (if applicable):

selinux-policy-3.13.1-145.el7
freeradius-3.0.13-3.el7


How reproducible:

100%


Steps to Reproduce:

Configure freeradius to use postgresql. Freeradius does not start and there are some avcs in the log file.

type=PROCTITLE msg=audit(04/27/2017 06:03:14.399:688) : proctitle=/usr/sbin/radiusd -d /etc/raddb
type=SYSCALL msg=audit(04/27/2017 06:03:14.399:688) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0x4 a1=0x564dd3537520 a2=0x6e a3=0x564dd3537522 items=0 ppid=8731 pid=8735 auid=unset uid=root gid=radiusd euid=radiusd suid=root fsuid=radiusd egid=radiusd sgid=radiusd fsgid=radiusd tty=(none) ses=unset comm=radiusd exe=/usr/sbin/radiusd subj=system_u:system_r:radiusd_t:s0 key=(null)
type=AVC msg=audit(04/27/2017 06:03:14.399:688) : avc:  denied  { connectto } for  pid=8735 comm=radiusd path=/run/postgresql/.s.PGSQL.5432 scontext=system_u:system_r:radiusd_t:s0 tcontext=system_u:system_r:postgresql_t:s0 tclass=unix_stream_socket


Actual results:

Freeradius does not start.


Expected results:

Freeradius starts and works.

Comment 1 Vit Mojzis 2017-04-27 14:07:20 UTC
Thank you for reporting the issue. 
Would you be able to retry your use case with SELinux in permissive mode (#setenforce 0) and send all the AVC's (#ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err --raw -ts today)? 
That way we could allow all the necessary access at once.

Comment 2 Jaroslav Aster 2017-04-27 14:13:30 UTC
No problem :-).

# ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err --raw -ts recent
type=AVC msg=audit(1493302193.398:858): avc:  denied  { connectto } for  pid=27636 comm="radiusd" path="/run/postgresql/.s.PGSQL.5432" scontext=system_u:system_r:radiusd_t:s0 tcontext=system_u:system_r:postgresql_t:s0 tclass=unix_stream_socket
type=SYSCALL msg=audit(1493302193.398:858): arch=c000003e syscall=42 success=no exit=-13 a0=4 a1=555d41b86520 a2=6e a3=555d41b86522 items=0 ppid=27632 pid=27636 auid=4294967295 uid=0 gid=95 euid=95 suid=0 fsuid=95 egid=95 sgid=95 fsgid=95 tty=(none) ses=4294967295 comm="radiusd" exe="/usr/sbin/radiusd" subj=system_u:system_r:radiusd_t:s0 key=(null)
type=PROCTITLE msg=audit(1493302193.398:858): proctitle=2F7573722F7362696E2F72616469757364002D64002F6574632F7261646462
type=USER_AVC msg=audit(1493302266.304:869): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=0)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=AVC msg=audit(1493302280.862:905): avc:  denied  { connectto } for  pid=29522 comm="radiusd" path="/run/postgresql/.s.PGSQL.5432" scontext=system_u:system_r:radiusd_t:s0 tcontext=system_u:system_r:postgresql_t:s0 tclass=unix_stream_socket
type=SYSCALL msg=audit(1493302280.862:905): arch=c000003e syscall=42 success=yes exit=0 a0=4 a1=557807daa520 a2=6e a3=557807daa522 items=0 ppid=29518 pid=29522 auid=4294967295 uid=0 gid=95 euid=95 suid=0 fsuid=95 egid=95 sgid=95 fsgid=95 tty=(none) ses=4294967295 comm="radiusd" exe="/usr/sbin/radiusd" subj=system_u:system_r:radiusd_t:s0 key=(null)
type=PROCTITLE msg=audit(1493302280.862:905): proctitle=2F7573722F7362696E2F72616469757364002D64002F6574632F7261646462

Comment 12 errata-xmlrpc 2017-08-01 15:24:23 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1861