Bug 665563

Summary: SELinux policy prevents FreeRADIUS connecting to database
Product: [Fedora] Fedora Reporter: ygor.regados
Component: selinux-policy-targetedAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: low    
Version: 14CC: dwalsh
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.9.7-20.fc14 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-01-17 20:52:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description ygor.regados 2010-12-24 19:22:40 UTC
Description of problem:
The default SELinux policy is preventing FreeRADIUS to connect to a PostgreSQL server. Also, it's not possible to create manually a policy module to allow the access.

Versions:
freeradius-2.1.10-1.fc14.x86_64
selinux-policy-3.9.7-18.fc14.noarch
selinux-policy-targeted-3.9.7-18.fc14.noarch

How reproducible:
Configure a FreeRADIUS server to use a PostgreSQL database. Connections always blocked.

Expected results:
Connection allowed or a selinux boolean to allow the connection.

Additional info:
-> Sealert output
*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that radiusd should be allowed name_connect access on the port 5432 tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep /usr/sbin/radiusd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

-> audit.log
type=SYSCALL msg=audit(1293217305.037:365): arch=c000003e syscall=42 success=no exit=-13 a0=4 a1=d9f6e0 a2=10 a3=7fff79aecbe0 items=0 ppid=4654 pid=4655 auid=0 uid=0 gid=95 euid=95 suid=0 fsuid=95 egid=95 sgid=95 fsgid=95 tty=(none) ses=51 comm="radiusd" exe="/usr/sbin/radiusd" subj=unconfined_u:system_r:radiusd_t:s0 key=(null)

Comment 1 Daniel Walsh 2010-12-28 13:22:11 UTC
ausearch -m avc  | grep radiusd

Comment 2 ygor.regados 2010-12-28 18:29:44 UTC
type=SYSCALL msg=audit(1293385921.676:42597): arch=c000003e syscall=42 success=no exit=-115 a0=4 a1=2107c40 a2=10 a3=7fff46843950 items=0 ppid=12006 pid=12007 auid=0 uid=0 gid=95 euid=95 suid=0 fsuid=95 egid=95 sgid=95 fsgid=95 tty=pts2 ses=589 comm="radiusd" exe="/usr/sbin/radiusd" subj=unconfined_u:system_r:radiusd_t:s0 key=(null)

type=AVC msg=audit(1293385921.676:42597): avc:  denied  { name_connect } for  pid=12007 comm="radiusd" dest=5432 scontext=unconfined_u:system_r:radiusd_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1293386309.939:42621): arch=c000003e syscall=42 success=no exit=-115 a0=4 a1=2997db0 a2=10 a3=7fff1ac39c70 items=0 ppid=12126 pid=12127 auid=0 uid=0 gid=95 euid=95 suid=0 fsuid=95 egid=95 sgid=95 fsgid=95 tty=pts0 ses=585 comm="radiusd" exe="/usr/sbin/radiusd" subj=unconfined_u:system_r:radiusd_t:s0 key=(null)

type=AVC msg=audit(1293386309.939:42621): avc:  denied  { name_connect } for  pid=12127 comm="radiusd" dest=5432 scontext=unconfined_u:system_r:radiusd_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket

Comment 3 Daniel Walsh 2010-12-28 20:14:13 UTC
Miroslav add

corenet_tcp_connect_postgresql_port(radiusd_t)

Comment 4 Miroslav Grepl 2011-01-03 09:48:23 UTC
Fixed in selinux-policy-3.9.7-20.fc14

Comment 5 Fedora Update System 2011-01-04 18:01:00 UTC
selinux-policy-3.9.7-20.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-20.fc14

Comment 6 Fedora Update System 2011-01-05 21:21:42 UTC
selinux-policy-3.9.7-20.fc14 has been pushed to the Fedora 14 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-20.fc14

Comment 7 Fedora Update System 2011-01-17 20:51:12 UTC
selinux-policy-3.9.7-20.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.