Bug 1113138
| Summary: | Not all of radiusd ports are in selinux policy | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | David Spurek <dspurek> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.0 | CC: | ebenes, mgrepl, mmalik, nikolai.kondrashov, oss |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.13.1-21.el7 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-03-05 10:40:10 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
David Spurek
2014-06-25 13:40:16 UTC
radiusd -X shows its usage for these ports: Listening on auth address * port 1812 as server default Listening on acct address * port 1813 as server default Listening on auth address 127.0.0.1 port 18120 as server inner-tunnel Opening new proxy address * port 1814 Listening on proxy address * port 1814 I see that port 18121 is used for status-server (described in /etc/raddb/sites-available/status file). Only Status-Server packets are processed in that port. selinux-policy should allow binding radiusd to tcp ports 1812 and and 1813.
cat /etc/services | grep radius
...
radius 1812/tcp # Radius
radius 1812/udp # Radius
radius-acct 1813/tcp radacct # Radius Accounting
radius-acct 1813/udp radacct # Radius Accounting
I can add 'proto = tcp' to into listen section in /etc/raddb/sites-enabled/default
Start of radiusd service then fails because selinux doesn't allow name_bind to tcp port.
type=SYSCALL msg=audit(1404138922.748:304): arch=c000003e syscall=49 success=no exit=-13 a0=4 a1=7fffebd03520 a2=10 a3=7f2c0a0052e0 items=0 ppid=5964 pid=5967 auid=4294967295 uid=0 gid=95 euid=0 suid=0 fsuid=0 egid=95 sgid=95 fsgid=95 tty=(none) ses=4294967295 comm="radiusd" exe="/usr/sbin/radiusd" subj=system_u:system_r:radiusd_t:s0 key=(null)
type=AVC msg=audit(1404138922.748:304): avc: denied { name_bind } for pid=5967 comm="radiusd" src=1812 scontext=system_u:system_r:radiusd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
You should also include port 2083 on TCP. TLS support in FreeRADIUS (used with RADSEC) uses TCP:2083. :-) commit 2ce1bd7a87b91c53e47098f426a8d7ff04ff975a
Author: Miroslav Grepl <mgrepl>
Date: Thu Sep 18 17:08:29 2014 +0200
Add support also for tcp radius ports.
So we need to add types also for tcp/2083 and tcp/18120, right? tcp/2083 yes, tcp/18120 no (you don't have a udp/18120 in this policy, do you?) AFAIK, port 18120 is open on UDP to localhost only. I see
type=AVC msg=audit(12/12/2014 09:38:40.941:6592) : avc: denied { name_bind } for pid=35091 comm=radiusd src=18120 scontext=system_u:system_r:radiusd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
Ahh, in that case... yes. commit 40eef7dcea8bbbfde3d1334348d2852dcb7cad1b
Author: Miroslav Grepl <mgrepl>
Date: Fri Jan 9 12:41:20 2015 +0100
Update radius port definition to have also tcp/18121.
commit bab3360972b40d2e4053856dffdba3e59ed73e07
Author: Miroslav Grepl <mgrepl>
Date: Fri Jan 9 12:32:29 2015 +0100
Add 18120/tcp as radius port.
# seinfo --portcon=2083
portcon tcp 2083 system_u:object_r:radsec_port_t:s0
portcon tcp 1024-32767 system_u:object_r:unreserved_port_t:s0
portcon udp 1024-32767 system_u:object_r:unreserved_port_t:s0
# sesearch -s radiusd_t -t radsec_port_t -A -C
Found 4 semantic av rules:
allow radiusd_t port_type : tcp_socket { recv_msg send_msg } ;
allow radiusd_t port_type : udp_socket { recv_msg send_msg } ;
ET allow nsswitch_domain port_type : tcp_socket { recv_msg send_msg } ; [ nis_enabled ]
ET allow nsswitch_domain port_type : udp_socket { recv_msg send_msg } ; [ nis_enabled ]
#
The policy defines radsec_port_t, but does not allow name_bind or name_connect to it. That's interesting.
commit f98413d1a54c821d97b319a69378a2df37bab510
Author: Miroslav Grepl <mgrepl>
Date: Tue Jan 20 19:49:44 2015 +0100
Allow radius to bind radsec ports.
commit 4bda4dd357a4eaa2770fd09edad69fc5f872eb11
Author: Miroslav Grepl <mgrepl>
Date: Wed Jan 28 08:21:31 2015 +0100
Allow radiusd to connect to radsec ports.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-0458.html |