Bug 1096891 - radiusd cannot write to tmp
Summary: radiusd cannot write to tmp
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy
Version: 5.11
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On: 1017107
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-05-12 15:23 UTC by Patrik Kis
Modified: 2015-11-02 13:33 UTC (History)
4 users (show)

Fixed In Version: selinux-policy-2.4.6-351.el5
Doc Type: Bug Fix
Doc Text:
Due to missing rules in the SELinux policy, the radiusd daemon was unable to write to the /tmp/ directory. Consequently, when radiusd was integrated with the Kerberos network authentication system, an attempt to authenticate a user failed. This update applies a new SELinux policy module so that radiusd works correctly in the described scenario.
Clone Of: 1017107
Environment:
Last Closed: 2014-09-16 00:30:07 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2014:1205 0 normal SHIPPED_LIVE selinux-policy bug fix update 2014-09-16 04:16:46 UTC

Comment 1 RHEL Program Management 2014-05-12 15:49:05 UTC 
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.
Comment 2 Miroslav Grepl 2014-05-13 07:46:02 UTC 
Could you re-test it with

$ cat mypol.te
policy_module(mypol,1.0)

require{
 type radiusd_t;
}

type radiusd_tmp_t;
files_tmp_file(radiusd_tmp_t)

allow radiusd_t radiusd_tmp_t:dir create_dir_perms;
allow radiusd_t radiusd_tmp_t:file create_file_perms;
files_tmp_filetrans(radiusd_t, radiuesd_tmp_t, { file dir })

optional_policy(`
    kerberos_keytab_template(radiusd, radiusd_t)
    kerberos_manage_host_rcache(radiusd_t)
')


# make -f /usr/share/selinux/devel/Makefile mypol.pp
# semodule -i mypol.pp
Comment 3 Patrik Kis 2014-05-13 09:04:00 UTC 
# cat mypol.te 
policy_module(mypol,1.0)

require{
 type radiusd_t;
}

type radiusd_tmp_t;
files_tmp_file(radiusd_tmp_t)

allow radiusd_t radiusd_tmp_t:dir create_dir_perms;
allow radiusd_t radiusd_tmp_t:file create_file_perms;
files_tmp_filetrans(radiusd_t, radiuesd_tmp_t, { file dir })

optional_policy(`
    kerberos_keytab_template(radiusd, radiusd_t)
    kerberos_manage_host_rcache(radiusd_t)
')
# make -f /usr/share/selinux/devel/Makefile mypol.pp
Compiling targeted mypol module
/usr/bin/checkmodule:  loading policy configuration from tmp/mypol.tmp
mypol.te:12:ERROR 'unknown type radiuesd_tmp_t' at token ';' on line 97976:
#line 12
	type_transition radiusd_t tmp_t:{ file dir } radiuesd_tmp_t;
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
make: *** [tmp/mypol.mod] Error 1
Comment 4 Miroslav Grepl 2014-05-13 09:13:44 UTC 
There is a typo.

-files_tmp_filetrans(radiusd_t, radiuesd_tmp_t, { file dir })
+files_tmp_filetrans(radiusd_t, radiusd_tmp_t, { file dir })
Comment 5 Patrik Kis 2014-05-13 10:01:28 UTC 
The test is working with the custom policy and no new AVC denials appeared.
Comment 10 errata-xmlrpc 2014-09-16 00:30:07 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1205.html
Note You need to log in before you can comment on or make changes to this bug.