Bug 1446145
Summary: | Selinux prevents freeradius to connect to postgresql | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Jaroslav Aster <jaster> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 7.4 | CC: | jaster, lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde, vmojzis |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.13.1-149.el7 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-08-01 15:24:23 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jaroslav Aster
2017-04-27 10:27:05 UTC
Thank you for reporting the issue. Would you be able to retry your use case with SELinux in permissive mode (#setenforce 0) and send all the AVC's (#ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err --raw -ts today)? That way we could allow all the necessary access at once. No problem :-). # ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err --raw -ts recent type=AVC msg=audit(1493302193.398:858): avc: denied { connectto } for pid=27636 comm="radiusd" path="/run/postgresql/.s.PGSQL.5432" scontext=system_u:system_r:radiusd_t:s0 tcontext=system_u:system_r:postgresql_t:s0 tclass=unix_stream_socket type=SYSCALL msg=audit(1493302193.398:858): arch=c000003e syscall=42 success=no exit=-13 a0=4 a1=555d41b86520 a2=6e a3=555d41b86522 items=0 ppid=27632 pid=27636 auid=4294967295 uid=0 gid=95 euid=95 suid=0 fsuid=95 egid=95 sgid=95 fsgid=95 tty=(none) ses=4294967295 comm="radiusd" exe="/usr/sbin/radiusd" subj=system_u:system_r:radiusd_t:s0 key=(null) type=PROCTITLE msg=audit(1493302193.398:858): proctitle=2F7573722F7362696E2F72616469757364002D64002F6574632F7261646462 type=USER_AVC msg=audit(1493302266.304:869): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received setenforce notice (enforcing=0) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=AVC msg=audit(1493302280.862:905): avc: denied { connectto } for pid=29522 comm="radiusd" path="/run/postgresql/.s.PGSQL.5432" scontext=system_u:system_r:radiusd_t:s0 tcontext=system_u:system_r:postgresql_t:s0 tclass=unix_stream_socket type=SYSCALL msg=audit(1493302280.862:905): arch=c000003e syscall=42 success=yes exit=0 a0=4 a1=557807daa520 a2=6e a3=557807daa522 items=0 ppid=29518 pid=29522 auid=4294967295 uid=0 gid=95 euid=95 suid=0 fsuid=95 egid=95 sgid=95 fsgid=95 tty=(none) ses=4294967295 comm="radiusd" exe="/usr/sbin/radiusd" subj=system_u:system_r:radiusd_t:s0 key=(null) type=PROCTITLE msg=audit(1493302280.862:905): proctitle=2F7573722F7362696E2F72616469757364002D64002F6574632F7261646462 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:1861 |