627718 – Selinux AVC problem with using ntlm_auth

Bug 627718 - Selinux AVC problem with using ntlm_auth

Summary: Selinux AVC problem with using ntlm_auth

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	13
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2010-08-26 18:27 UTC by Michal Bruncko
Modified:	2010-09-11 09:07 UTC (History)
CC List:	3 users (show)
Fixed In Version:	selinux-policy-3.7.19-54.fc13
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2010-09-11 09:07:55 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Michal Bruncko 2010-08-26 18:27:42 UTC

Description of problem:
I cannot use freeradius with default selinux target policies with ntlm_auth authentication for EAP-TTLS that needs mschapv2 authenthentication. 
From: /var/log/audit/audit.log:
type=AVC msg=audit(1282729991.563:368): avc:  denied  { execute } for  pid=12743 comm="radiusd" name="ntlm_auth" dev=dm-6 ino=29739 scontext=unconfined_u:system_r:radiusd_t:s0 tcontext=system_u:object_r:winbind_helper_exec_t:s0 tclass=file

Version-Release number of selected component (if applicable):
freeradius-2.1.9-1.fc13.x86_64
selinux-policy-targeted-3.7.19-49.fc13.noarch

How reproducible:
always

Steps to Reproduce:
1. in file /etc/raddb/modules/mschap enable ntlm_auth, i.e. ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
2. use EAP-TTLS auth or any other, that use mschap authentication
3. run radiusd with default privileges (effective user is radiusd)
  
Actual results:
authentication not working

Expected results:
working authentication without AVC

Additional info:
using my local selinux policy solved my problem, but in case of using ntlm_auth, it should be created selinux boolean for enabling execution of ntlm_auth for radiusd process.

Comment 1 John Dennis 2010-08-26 18:56:32 UTC

Dan: It is permissible for radiusd to exec /usr/bin/ntlm_auth, it should be allowed.

Comment 2 Daniel Walsh 2010-08-26 19:15:32 UTC

Miroslav add

	samba_domtrans_winbind_helper(radiusd_t)

Comment 3 Miroslav Grepl 2010-08-30 17:31:39 UTC

Fixed in selinux-policy-3.7.19-52.fc13

Comment 4 Fedora Update System 2010-09-02 14:56:56 UTC

selinux-policy-3.7.19-54.fc13 has been submitted as an update for Fedora 13.
https://admin.fedoraproject.org/updates/selinux-policy-3.7.19-54.fc13

Comment 5 Fedora Update System 2010-09-02 20:36:33 UTC

selinux-policy-3.7.19-54.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.7.19-54.fc13

Comment 6 Fedora Update System 2010-09-11 09:07:19 UTC

selinux-policy-3.7.19-54.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.