Bug 1396886 - [rhsc] Nagios + IDA integration fails with avc denied for ldap_port_t
Summary: [rhsc] Nagios + IDA integration fails with avc denied for ldap_port_t
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.3
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks: 1396889
TreeView+ depends on / blocked
 
Reported: 2016-11-21 05:31 UTC by Sweta Anandpara
Modified: 2016-11-22 11:13 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1396889 (view as bug list)
Environment:
Last Closed: 2016-11-22 11:13:33 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Sweta Anandpara 2016-11-21 05:31:17 UTC 
Description of problem:
======================
Was following the steps mentioned in the admin guide to integrate nagios and ldap: https://access.redhat.com/documentation/en-US/Red_Hat_Storage/3.1/html-single/Administration_Guide/index.html#Integrating_LDAP_Authentication_with_Nagios

Tried logging in to Nagios web UI using the login credentials of AD users, but that failed with 500: Internal Server Error. Set the selinx policy to permissive and login to nagios web UI was successful. 

Seeing the below error in audit logs:
type=AVC msg=audit(1479359600.477:65770): avc:  denied  { name_connect } f      or  pid=3714 comm="httpd" dest=389 scontext=system_u:system_r:httpd_t:s0 t      context=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket



Version-Release number of selected component (if applicable):
==============================================================
RHGS 3.2 interim build (3.8.4-5)
selinux-policy-targeted-3.13.1-102.el7_3.4.noarch
selinux-policy-3.13.1-102.el7_3.4.noarch



How reproducible:
=================
2:2


Additional info:
================
[root@dhcp46-239 ~]# rpm -qa | grep gluster
nfs-ganesha-gluster-2.3.1-8.el7rhgs.x86_64
glusterfs-api-3.8.4-5.el7rhgs.x86_64
python-gluster-3.8.4-5.el7rhgs.noarch
glusterfs-client-xlators-3.8.4-5.el7rhgs.x86_64
glusterfs-server-3.8.4-5.el7rhgs.x86_64
glusterfs-ganesha-3.8.4-5.el7rhgs.x86_64
gluster-nagios-common-0.2.4-1.el7rhgs.noarch
glusterfs-devel-3.8.4-5.el7rhgs.x86_64
gluster-nagios-addons-0.2.8-1.el7rhgs.x86_64
glusterfs-libs-3.8.4-5.el7rhgs.x86_64
glusterfs-fuse-3.8.4-5.el7rhgs.x86_64
glusterfs-api-devel-3.8.4-5.el7rhgs.x86_64
glusterfs-rdma-3.8.4-5.el7rhgs.x86_64
glusterfs-3.8.4-5.el7rhgs.x86_64
glusterfs-cli-3.8.4-5.el7rhgs.x86_64
glusterfs-geo-replication-3.8.4-5.el7rhgs.x86_64
glusterfs-debuginfo-3.8.4-4.el7rhgs.x86_64
glusterfs-events-3.8.4-5.el7rhgs.x86_64
[root@dhcp46-239 ~]# 
[root@dhcp46-239 ~]# 
[root@dhcp46-239 ~]# gluster peer status
Number of Peers: 3

Hostname: 10.70.46.240
Uuid: 72c4f894-61f7-433e-a546-4ad2d7f0a176
State: Peer in Cluster (Connected)

Hostname: 10.70.46.242
Uuid: 1e8967ae-51b2-4c27-907e-a22a83107fd0
State: Peer in Cluster (Connected)

Hostname: 10.70.46.218
Uuid: 0dea52e0-8c32-4616-8ef8-16db16120eaa
State: Peer in Cluster (Connected)
[root@dhcp46-239 ~]# 
[root@dhcp46-239 ~]# 
[root@dhcp46-239 ~]#
Comment 1 Milos Malik 2016-11-21 10:42:12 UTC 
Does your scenario work after enabling the httpd_can_connect_ldap boolean?
Comment 3 Sweta Anandpara 2016-11-21 12:37:53 UTC 
Yes, after enabling httpd_can_connect_ldap, login to webUI does work using the creds of AD users.
Comment 4 Lukas Vrabec 2016-11-22 11:13:33 UTC 
Thank you for info. 

Closing this issue as NOTABUG, due to fix using boolean.
Note You need to log in before you can comment on or make changes to this bug.