Bug 846084
Summary: | Call setsebool -P authlogin_nsswitch_use_ldap 1 when enabling LDAP | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | John Ellson <john.ellson> |
Component: | authconfig | Assignee: | Tomas Mraz <tmraz> |
Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | rawhide | CC: | dwalsh, mattias.ellert, mgrepl, nhosoi, nkinder, plautrba, rmeggins, tmraz |
Target Milestone: | --- | Keywords: | FutureFeature |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | authconfig-6.2.4-1.fc19 | Doc Type: | Enhancement |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-09-25 20:11:53 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
John Ellson
2012-08-06 19:02:45 UTC
#============= sshd_t ============== #!!!! This avc can be allowed using one of the these booleans: # authlogin_nsswitch_use_ldap, allow_ypbind So you can allow it using # setsebool -P authlogin_nsswitch_use_ldap 1 You can also read the sshd_man page for more details. Miroslav, I think you missed the point. I fully underderstand that you would use some setbool... to make it work in enforcing mode. The bug is that it doesn't work in *permissive* mode. Are there any relevant information in the /var/log/secure log? Did you boot straight into permissive mode or into enforcing and changed mode after you hadn't been able to login? The AVC you sent is not probably related to login problem. I think I had been in permissive mode for some time ... but I get a different result today. I set selinux back to permissive mode. Rebooted -- waited for relabeling to complete. Restarted the directory server. Opened "tail -f"s on /var/log/messages and on /var/log/secure This time the "ssh test@dir-p" login succeeded! I still get the same AVC: Aug 7 07:12:55 dir-p setroubleshoot: SELinux is preventing /usr/sbin/sshd from name_connect access on the tcp_socket . For complete SELinux messages. run sealert -l 053ccc66-9432-4e19-b156-7a18dee20f16 But this time it was correctly ineffective in permissive mode. Looking into /var/log/secure for the entries corresponding to the above report: Aug 6 09:45:46 dir-p sshd[1921]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=lweb1-vhost4.aldc.att.com user=test Aug 6 09:45:46 dir-p sshd[1921]: pam_ldap: error trying to bind as user "uid=test,ou=People,dc=aldc,dc=att,dc=com" (Invalid credentials) Aug 6 09:45:48 dir-p sshd[1921]: Failed password for test from 130.8.46.114 port 53290 ssh2 I wonder if I was just entering the wrong passwd? I tired by that point. So, no bug, I guess, unless this report can be passed over to 389-ds for them to set up selinux correctly during installation? My guess would be that you had originally booted in the enforcing mode and something went wrong during initialization of a directory server. I don't understand - what component is supposed to do setsebool -P authlogin_nsswitch_use_ldap 1 ? What does this allow? Does it allow nss_ldap to make an ldap connection to an LDAP server? If so, then this is not specific to 389 - what if you use openldap server or some other ldap server? This is not directly 389 DS related, and I don't think that 389 DS should be making changes to the authlogin_nsswitch_use_ldap boolean. This boolean is generic with regards to allowing nsswitch to connect to any port labelled as ldap_port_t on the system (be it 389 DS, OpenLDAP, or anything else listening on ports 389 or 636). For 389 DS to run and handle client operations, it does not require any specific setting for authlogin_nsswitch_use_ldap. That setting is used to confine nsswitch, not the ns-slapd process. I think this can be done in authconfig now that we do the same for nis support. |