Bug 248467 - radiusd not working with selinux
radiusd not working with selinux
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.0
All Linux
low Severity low
: rc
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-07-16 17:18 EDT by John Schubert
Modified: 2008-05-21 12:05 EDT (History)
1 user (show)

See Also:
Fixed In Version: RHBA-2008-0465
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-05-21 12:05:18 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
audit log (151.23 KB, application/octet-stream)
2007-07-16 17:18 EDT, John Schubert
no flags Details

  None (edit)
Description John Schubert 2007-07-16 17:18:38 EDT
Description of problem:
radiusd under selinux with mysql extension refuses to authenticate properly. It
generates lots of errors in /var/log/audit/audit.log file. Works fine if I run
radiusd -x from console. I am using an external mysql server and pam auth.

Version-Release number of selected component (if applicable):
free radius version: 1.1.3-1.2.el5 the rest of the system is current as of 7/16/07 


How reproducible:
Not tried.

Steps to Reproduce:
1. clean install of base RHEL 5 i386 with selinux enabled.
2. install latest rpms of freeradius and freeradius-mysql
3. Configure to use mysql tables.
  
Actual results:
Mon Jul 16 16:48:30 2007 : Info: Using deprecated naslist file.  Support for
this will go away soon.
Mon Jul 16 16:48:30 2007 : Info: rlm_exec: Wait=yes but no output defined. Did
you mean output=none?
Mon Jul 16 16:48:30 2007 : Info: rlm_sql (sql): Driver rlm_sql_mysql (module
rlm_sql_mysql) loaded and linked
Mon Jul 16 16:48:30 2007 : Info: rlm_sql (sql): Attempting to connect to
radiusd@sparrow.moc.psu.edu:/radius
Mon Jul 16 16:48:30 2007 : Info: rlm_sql_mysql: Starting connect to MySQL server
for #0
Mon Jul 16 16:48:30 2007 : Error: rlm_sql_mysql: Couldn't connect socket to
MySQL server radiusd@sparrow.moc.psu.edu:radius
Mon Jul 16 16:48:30 2007 : Error: rlm_sql_mysql: Mysql error 'Can't connect to
MySQL server on 'sparrow.moc.psu.edu' (13)'
Mon Jul 16 16:48:30 2007 : Error: rlm_sql (sql): Failed to connect DB handle #0
Mon Jul 16 16:48:30 2007 : Info: Ready to process requests.


Expected results:
Mon Jul 16 16:57:03 2007 : Info: Using deprecated naslist file.  Support for
this will go away soon.
Mon Jul 16 16:57:03 2007 : Info: rlm_exec: Wait=yes but no output defined. Did
you mean output=none?
Mon Jul 16 16:57:03 2007 : Info: rlm_sql (sql): Driver rlm_sql_mysql (module
rlm_sql_mysql) loaded and linked
Mon Jul 16 16:57:03 2007 : Info: rlm_sql (sql): Attempting to connect to
radiusd@sparrow.moc.psu.edu:/radius
Mon Jul 16 16:57:03 2007 : Info: rlm_sql_mysql: Starting connect to MySQL server
for #0
Mon Jul 16 16:57:03 2007 : Info: rlm_sql_mysql: Starting connect to MySQL server
for #1
Mon Jul 16 16:57:03 2007 : Info: rlm_sql_mysql: Starting connect to MySQL server
for #2
Mon Jul 16 16:57:03 2007 : Info: rlm_sql_mysql: Starting connect to MySQL server
for #3
Mon Jul 16 16:57:03 2007 : Info: rlm_sql_mysql: Starting connect to MySQL server
for #4
Mon Jul 16 16:57:03 2007 : Info: Ready to process requests.



Additional info:

I am attaching the audit.log that I used to generate a module to load that
*seems* to work. Have not done a lot of testing yet.
Comment 1 John Schubert 2007-07-16 17:18:38 EDT
Created attachment 159376 [details]
audit log
Comment 2 Red Hat Bugzilla 2007-09-17 01:20:19 EDT
transferred from Thomas Woerner to John Dennis, requested by Steve Grubb.
Comment 3 Daniel Walsh 2008-04-21 15:08:47 EDT
Added allow rules for all access except execing netstat.  This is a bug in the
nss libraries

Fixed in selinux-policy-2.4.6-135.el5
Comment 4 RHEL Product and Program Management 2008-04-21 15:19:17 EDT
This request was evaluated by Red Hat Product Management for
inclusion, but this component is not scheduled to be updated in
the current Red Hat Enterprise Linux release. If you would like
this request to be reviewed for the next minor release, ask your
support representative to set the next rhel-x.y flag to "?".
Comment 9 Daniel Walsh 2008-04-28 14:03:08 EDT
Fixed in selinux-policy-2.4.6-136.el5
Comment 12 Eduard Benes 2008-04-29 09:57:38 EDT
This bug should be fixed in U2 preview policy that is available here:
  
  http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/
Comment 14 errata-xmlrpc 2008-05-21 12:05:18 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0465.html

Note You need to log in before you can comment on or make changes to this bug.