Description of problem: The default SELinux policy is preventing FreeRADIUS to connect to a PostgreSQL server. Also, it's not possible to create manually a policy module to allow the access. Versions: freeradius-2.1.10-1.fc14.x86_64 selinux-policy-3.9.7-18.fc14.noarch selinux-policy-targeted-3.9.7-18.fc14.noarch How reproducible: Configure a FreeRADIUS server to use a PostgreSQL database. Connections always blocked. Expected results: Connection allowed or a selinux boolean to allow the connection. Additional info: -> Sealert output ***** Plugin catchall (100. confidence) suggests *************************** If you believe that radiusd should be allowed name_connect access on the port 5432 tcp_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep /usr/sbin/radiusd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp -> audit.log type=SYSCALL msg=audit(1293217305.037:365): arch=c000003e syscall=42 success=no exit=-13 a0=4 a1=d9f6e0 a2=10 a3=7fff79aecbe0 items=0 ppid=4654 pid=4655 auid=0 uid=0 gid=95 euid=95 suid=0 fsuid=95 egid=95 sgid=95 fsgid=95 tty=(none) ses=51 comm="radiusd" exe="/usr/sbin/radiusd" subj=unconfined_u:system_r:radiusd_t:s0 key=(null)
ausearch -m avc | grep radiusd
type=SYSCALL msg=audit(1293385921.676:42597): arch=c000003e syscall=42 success=no exit=-115 a0=4 a1=2107c40 a2=10 a3=7fff46843950 items=0 ppid=12006 pid=12007 auid=0 uid=0 gid=95 euid=95 suid=0 fsuid=95 egid=95 sgid=95 fsgid=95 tty=pts2 ses=589 comm="radiusd" exe="/usr/sbin/radiusd" subj=unconfined_u:system_r:radiusd_t:s0 key=(null) type=AVC msg=audit(1293385921.676:42597): avc: denied { name_connect } for pid=12007 comm="radiusd" dest=5432 scontext=unconfined_u:system_r:radiusd_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1293386309.939:42621): arch=c000003e syscall=42 success=no exit=-115 a0=4 a1=2997db0 a2=10 a3=7fff1ac39c70 items=0 ppid=12126 pid=12127 auid=0 uid=0 gid=95 euid=95 suid=0 fsuid=95 egid=95 sgid=95 fsgid=95 tty=pts0 ses=585 comm="radiusd" exe="/usr/sbin/radiusd" subj=unconfined_u:system_r:radiusd_t:s0 key=(null) type=AVC msg=audit(1293386309.939:42621): avc: denied { name_connect } for pid=12127 comm="radiusd" dest=5432 scontext=unconfined_u:system_r:radiusd_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket
Miroslav add corenet_tcp_connect_postgresql_port(radiusd_t)
Fixed in selinux-policy-3.9.7-20.fc14
selinux-policy-3.9.7-20.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-20.fc14
selinux-policy-3.9.7-20.fc14 has been pushed to the Fedora 14 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-20.fc14
selinux-policy-3.9.7-20.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.