Bug 836952

Summary: selinux denies access to ldap port
Product: Red Hat Enterprise Linux 7 Reporter: Karel Volný <kvolny>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CURRENTRELEASE QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact:
Priority: high    
Version: 7.0CC: dwalsh, jsynacek, mmalik
Target Milestone: rcKeywords: Reopened
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 12:30:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Karel Volný 2012-07-02 10:02:21 UTC 
Filed from caserun https://tcms.engineering.redhat.com/run/41363/#caserun_1236707

Version-Release number of selected component (if applicable):
RHEL-7.0-20120614.n.1

Steps to Reproduce: 

/CoreOS/postgresql/Sanity/bz478839-LDAP-support



Actual results:
see https://beaker.engineering.redhat.com/jobs/255338
=> http://beaker-archive.app.eng.bos.redhat.com/beaker-logs/2012/06/2553/255338/543948/6644510/TESTOUT.log

:: [   FAIL   ] :: Trying to connect with correct user & password (Expected 0, got 2)
psql: FATAL:  LDAP authentication failed for user "user1"
:: [   FAIL   ] :: File 'psql1.out' should contain 'Copyright' 


Expected results:
PASS


Trying to authenticate user with LDAP fails on RHEL7, despite the fact that ldapsearch accepts the same username & password pair without any problem.

Note that the test passes the password to postgresql by setting the variable PGPASSWORD but this is not a source of the problem - I've tried to run the test manually forcing asking for the password and it fails in the same way.

The test works on RHEL6, see
https://beaker.engineering.redhat.com/jobs/255541

Note also that Aleš Zelinka reports similar behaviour for Samba - using tools provided by LDAP everything seems to work while samba fails.
Comment 1 Karel Volný 2012-07-12 11:14:55 UTC 
I've found that the failure is caused by selinux denying access to ldap port:

type=AVC msg=audit(1342091574.420:298029): avc:  denied  { name_connect } for  pid=4463 comm="postgres" dest=389 scontext=system_u:system_r:postgresql_t:s0 tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket


selinux-policy-3.10.0-137.el7.noarch
Comment 2 Miroslav Grepl 2012-07-17 06:22:35 UTC 
# sesearch -A -s postgresql_t -t ldap_port_t -c tcp_socket -p name_connect -C

Found 3 semantic av rules:
DT allow postgresql_t reserved_port_type : tcp_socket name_connect ; [ allow_ypbind ]
DT allow nsswitch_domain reserved_port_type : tcp_socket name_connect ; [ allow_ypbind ]
DT allow nsswitch_domain ldap_port_t : tcp_socket { recv_msg send_msg name_connect } ; [ authlogin_nsswitch_use_ldap ]
Comment 3 Karel Volný 2012-07-19 12:04:22 UTC 
(In reply to comment #2)
> # sesearch -A -s postgresql_t -t ldap_port_t -c tcp_socket -p name_connect -C
> 
> Found 3 semantic av rules:
> DT allow postgresql_t reserved_port_type : tcp_socket name_connect ; [
> allow_ypbind ]
> DT allow nsswitch_domain reserved_port_type : tcp_socket name_connect ; [
> allow_ypbind ]
> DT allow nsswitch_domain ldap_port_t : tcp_socket { recv_msg send_msg
> name_connect } ; [ authlogin_nsswitch_use_ldap ]

ok, I read that as you suggest to enable either allow_ypbind or authlogin_nsswitch_use_ldap

then this is at least docs bug, as "man ypbind_selinux" doesn't mention LDAP at all

trying to get some help for authlogin_nsswitch_use_ldap I fail completely:

[root@auto-x86-64-002 bz478839-LDAP-support]# for i in /usr/share/man/man8/*_selinux* ; do gzip -c -d $i | grep allow_ypbind && echo $i ; done
If you want to allow system to run with NI, you must turn on the allow_ypbind boolean.
.B setsebool -P allow_ypbind 1
/usr/share/man/man8/ypbind_selinux.8.gz
[root@auto-x86-64-002 bz478839-LDAP-support]# for i in /usr/share/man/man8/*_selinux* ; do gzip -c -d $i | grep authlogin_nsswitch_use_ldap && echo $i ; done
[root@auto-x86-64-002 bz478839-LDAP-support]#


also, I fail to see why "ldapsearch" is NOT denied while postgresql is? (needinfo)
Comment 4 Miroslav Grepl 2012-07-19 21:37:03 UTC 
Ok, we need to fix it in

postgresql_selinux(8)

to mention the "authlogin_nsswitch_use_ldap" boolean.
Comment 5 Karel Volný 2012-07-20 10:23:31 UTC 
while at it, please update also the selinux man page with references to other *_selinux manpages (e.g. postgresql_selinux not mentioned in man selinux - libselinux-utils-2.1.10-4.el7.x86_64) ... it'd be useful to highlight that you'll get specific help using 'man 8 <servicename>_selinux' than just listing all the available pages in SEE ALSO section
Comment 6 Miroslav Grepl 2012-07-23 04:50:30 UTC 
(In reply to comment #5)
> while at it, please update also the selinux man page with references to
> other *_selinux manpages (e.g. postgresql_selinux not mentioned in man
> selinux - libselinux-utils-2.1.10-4.el7.x86_64) ... it'd be useful to
> highlight that you'll get specific help using 'man 8 <servicename>_selinux'
> than just listing all the available pages in SEE ALSO section

Good point.
Comment 7 Daniel Walsh 2012-10-12 19:38:36 UTC 
(libselinux-2.1.12-3.el7 fixes the selinux man page .
Comment 10 Ludek Smid 2014-06-13 12:30:12 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.