Bug 825137
| Summary: | radiusd unable to connect to ldap | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Patrik Kis <pkis> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.0 | CC: | ksrot, mgrepl, mmalik |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-06-13 10:20:43 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
On RHEL6 we have
$ sesearch -A -C -s radiusd_t -t ldap_port_t -c tcp_socket
Found 5 semantic av rules:
allow radiusd_t ldap_port_t : tcp_socket { recv_msg send_msg name_connect } ;
allow radiusd_t port_type : tcp_socket { recv_msg send_msg } ;
DT allow radiusd_t reserved_port_type : tcp_socket name_connect ; [ allow_ypbind ]
DT allow radiusd_t rpc_port_type : tcp_socket name_bind ; [ allow_ypbind ]
DT allow radiusd_t port_type : tcp_socket { recv_msg send_msg } ; [ allow_ypbind ]
radius should be able to connect to ldap without ypbind boolean enabled. We should add it into policy.
On RHEl6 we allowed all apps that used getpw to connect to ldap. On RHEL7 we will rely on sssd for this. If radius needs to connect to ldap for something other then password resolution then we should turn it on in radious policy. Fixed in selinux-policy-3.10.0-128.el7 This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request. |
Description of problem: I'm not sure if this is a real bug but better report it. In out test case radiusd is trying to connect to TCP socket of slapd (ldap server). It succeed on RHEL6 but on not on RHEL7. The ldap server is running unser ldap user and radiusd under radiusd (this is the same on boot RHEL7 and RHEL6) [root@rhel70]# ps -eflZ | grep radius | grep -v grep system_u:system_r:radiusd_t:s0 5 S radiusd 6177 1 0 80 0 - 123909 poll_s 09:29 ? 00:00:00 /usr/sbin/radiusd -d /etc/raddb [root@rhel70]# ps -eflZ | grep slapd | grep -v grep system_u:system_r:slapd_t:s0 1 S ldap 5990 1 0 80 0 - 74123 futex_ 09:23 ? 00:00:00 /usr/sbin/slapd -u ldap -h ldapi:/// ldap:/// ldaps:/// When the radiusd attempts to coonect to ldap socket the following avcs appears: type=AVC msg=audit(1337933665.084:13545): avc: denied { name_connect } for pid=6181 comm="radiusd" dest=389 scontext=system_u:system_r:radiusd_t:s0 tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1337933665.084:13545): arch=c000003e syscall=42 success=no exit=-13 a0=d a1=7fdd940010a0 a2=10 a3=7fddac5e0580 items=0 ppid=1 pid=6181 auid=4294967295 uid=95 gid=95 euid=95 suid=95 fsuid=95 egid=95 sgid=95 fsgid=95 tty=(none) ses=4294967295 comm="radiusd" exe="/usr/sbin/radiusd" subj=system_u:system_r:radiusd_t:s0 key=(null) [root@rhel70 ~]# ausearch -m AVC -ts recent | audit2allow WARNING: Policy would be downgraded from version 27 to 26. #============= radiusd_t ============== #!!!! This avc can be allowed using one of the these booleans: # authlogin_nsswitch_use_ldap, allow_ypbind allow radiusd_t ldap_port_t:tcp_socket name_connect; [root@rhel70]# semanage boolean -l | grep allow_ypbind allow_ypbind (off , off) allow_ypbind [root@rhel70]# semanage boolean -l | grep authlogin_nsswitch_use_ldap authlogin_nsswitch_use_ldap (off , off) authlogin_nsswitch_use_ldap Enabling any of these booleans allows the socket access so the test pass, but the question if how it is possible that the same test works on RHEL6, where: [root@rhel62]# getsebool allow_ypbind allow_ypbind --> off [root@rhel62]# getsebool authlogin_nsswitch_use_ldap Error getting active value for authlogin_nsswitch_use_ldap What has changed? Version-Release number of selected component (if applicable): # cat /etc/redhat-release Red Hat Enterprise Linux Server release 7.0 Alpha1 (Maipo) # rpm -qa | grep selinux libselinux-utils-2.1.10-4.el7.x86_64 selinux-policy-targeted-3.10.0-123.el7.noarch libselinux-2.1.10-4.el7.x86_64 libselinux-python-2.1.10-4.el7.x86_64 selinux-policy-devel-3.10.0-123.el7.noarch selinux-policy-3.10.0-123.el7.noarch How reproducible: always Steps to Reproduce: 1. Run the test case /CoreOS/freeradius/Sanity/freeradius-openldap-auth-test and remove the workaround with "allow_ypbind" selinux boolean Actual results: radiusd can not connect to ldap socket Expected results: radiusd can connect to ldap socket Additional info: