Bug 836952
Summary: | selinux denies access to ldap port | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Karel Volný <kvolny> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Milos Malik <mmalik> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 7.0 | CC: | dwalsh, jsynacek, mmalik |
Target Milestone: | rc | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-06-13 12:30:12 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Karel Volný
2012-07-02 10:02:21 UTC
I've found that the failure is caused by selinux denying access to ldap port: type=AVC msg=audit(1342091574.420:298029): avc: denied { name_connect } for pid=4463 comm="postgres" dest=389 scontext=system_u:system_r:postgresql_t:s0 tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket selinux-policy-3.10.0-137.el7.noarch # sesearch -A -s postgresql_t -t ldap_port_t -c tcp_socket -p name_connect -C Found 3 semantic av rules: DT allow postgresql_t reserved_port_type : tcp_socket name_connect ; [ allow_ypbind ] DT allow nsswitch_domain reserved_port_type : tcp_socket name_connect ; [ allow_ypbind ] DT allow nsswitch_domain ldap_port_t : tcp_socket { recv_msg send_msg name_connect } ; [ authlogin_nsswitch_use_ldap ] (In reply to comment #2) > # sesearch -A -s postgresql_t -t ldap_port_t -c tcp_socket -p name_connect -C > > Found 3 semantic av rules: > DT allow postgresql_t reserved_port_type : tcp_socket name_connect ; [ > allow_ypbind ] > DT allow nsswitch_domain reserved_port_type : tcp_socket name_connect ; [ > allow_ypbind ] > DT allow nsswitch_domain ldap_port_t : tcp_socket { recv_msg send_msg > name_connect } ; [ authlogin_nsswitch_use_ldap ] ok, I read that as you suggest to enable either allow_ypbind or authlogin_nsswitch_use_ldap then this is at least docs bug, as "man ypbind_selinux" doesn't mention LDAP at all trying to get some help for authlogin_nsswitch_use_ldap I fail completely: [root@auto-x86-64-002 bz478839-LDAP-support]# for i in /usr/share/man/man8/*_selinux* ; do gzip -c -d $i | grep allow_ypbind && echo $i ; done If you want to allow system to run with NI, you must turn on the allow_ypbind boolean. .B setsebool -P allow_ypbind 1 /usr/share/man/man8/ypbind_selinux.8.gz [root@auto-x86-64-002 bz478839-LDAP-support]# for i in /usr/share/man/man8/*_selinux* ; do gzip -c -d $i | grep authlogin_nsswitch_use_ldap && echo $i ; done [root@auto-x86-64-002 bz478839-LDAP-support]# also, I fail to see why "ldapsearch" is NOT denied while postgresql is? (needinfo) Ok, we need to fix it in postgresql_selinux(8) to mention the "authlogin_nsswitch_use_ldap" boolean. while at it, please update also the selinux man page with references to other *_selinux manpages (e.g. postgresql_selinux not mentioned in man selinux - libselinux-utils-2.1.10-4.el7.x86_64) ... it'd be useful to highlight that you'll get specific help using 'man 8 <servicename>_selinux' than just listing all the available pages in SEE ALSO section (In reply to comment #5) > while at it, please update also the selinux man page with references to > other *_selinux manpages (e.g. postgresql_selinux not mentioned in man > selinux - libselinux-utils-2.1.10-4.el7.x86_64) ... it'd be useful to > highlight that you'll get specific help using 'man 8 <servicename>_selinux' > than just listing all the available pages in SEE ALSO section Good point. (libselinux-2.1.12-3.el7 fixes the selinux man page . This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request. |