Bug 833843 - freeadius2 cannot connect to postgresql due to AVC denial
Summary: freeadius2 cannot connect to postgresql due to AVC denial
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy
Version: 5.8
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-06-20 13:07 UTC by Patrik Kis
Modified: 2013-01-08 03:32 UTC (History)
3 users (show)

Fixed In Version: selinux-policy-2.4.6-328.el5
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-01-08 03:32:07 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2013:0060 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2013-01-08 08:27:19 UTC

Description Patrik Kis 2012-06-20 13:07:18 UTC 
Description of problem:
ANC denial prevents freeradius2 communicate with postgresql on RHEL5, while on RHEL6 it is working out of the box.

Version-Release number of selected component (if applicable):
# rpm -q freeradius2 postgresql selinux-policy
freeradius2-2.1.12-3.el5
postgresql-8.1.23-1.el5_7.3
selinux-policy-2.4.6-327.el5

How reproducible:
always

Steps to Reproduce:
1. run test /CoreOS/freeradius/Sanity/postgresql-auth-test
2. When radiusd start the following AVC appears and the test fails:
type=AVC msg=audit(1340196443.406:1177): avc:  denied  { name_connect } for  pid=22893 comm="radiusd" dest=5432 scontext=root:system_r:radiusd_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket
  
Actual results:
AVC denial

Expected results:
no AVC denial

Additional info:
It seems there are missing policies on RHEL5.
This test was newer launched on RHEL5; it was only now made ready for RHEL5 that's the reason why this error was hidden so far.

[root@rhel58 ~]# sesearch -A -C -s radiusd_t -t ldap_port_t -c tcp_socket
Found 1 av rules:
   allow radiusd_t ldap_port_t : tcp_socket { recv_msg send_msg name_connect }; 


[root@rhel63 ~]# sesearch -A -C -s radiusd_t -t ldap_port_t -c tcp_socket
Found 5 semantic av rules:
   allow radiusd_t ldap_port_t : tcp_socket { recv_msg send_msg name_connect } ; 
   allow radiusd_t port_type : tcp_socket { recv_msg send_msg } ; 
DT allow radiusd_t reserved_port_type : tcp_socket name_connect ; [ allow_ypbind ]
DT allow radiusd_t rpc_port_type : tcp_socket name_bind ; [ allow_ypbind ]
DT allow radiusd_t port_type : tcp_socket { recv_msg send_msg } ; [ allow_ypbind ]
Comment 1 RHEL Program Management 2012-06-20 13:10:08 UTC 
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.
Comment 2 Miroslav Grepl 2012-06-28 12:12:52 UTC 
It needs to be backported from RHEL6.
Comment 6 errata-xmlrpc 2013-01-08 03:32:07 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0060.html
Note You need to log in before you can comment on or make changes to this bug.