833843 – freeadius2 cannot connect to postgresql due to AVC denial

Bug 833843 - freeadius2 cannot connect to postgresql due to AVC denial

Summary: freeadius2 cannot connect to postgresql due to AVC denial

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	5.8
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-06-20 13:07 UTC by Patrik Kis
Modified:	2013-01-08 03:32 UTC (History)
CC List:	3 users (show)
Fixed In Version:	selinux-policy-2.4.6-328.el5
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-01-08 03:32:07 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2013:0060	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2013-01-08 08:27:19 UTC

Description Patrik Kis 2012-06-20 13:07:18 UTC

Description of problem:
ANC denial prevents freeradius2 communicate with postgresql on RHEL5, while on RHEL6 it is working out of the box.

Version-Release number of selected component (if applicable):
# rpm -q freeradius2 postgresql selinux-policy
freeradius2-2.1.12-3.el5
postgresql-8.1.23-1.el5_7.3
selinux-policy-2.4.6-327.el5

How reproducible:
always

Steps to Reproduce:
1. run test /CoreOS/freeradius/Sanity/postgresql-auth-test
2. When radiusd start the following AVC appears and the test fails:
type=AVC msg=audit(1340196443.406:1177): avc:  denied  { name_connect } for  pid=22893 comm="radiusd" dest=5432 scontext=root:system_r:radiusd_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket
  
Actual results:
AVC denial

Expected results:
no AVC denial

Additional info:
It seems there are missing policies on RHEL5.
This test was newer launched on RHEL5; it was only now made ready for RHEL5 that's the reason why this error was hidden so far.

[root@rhel58 ~]# sesearch -A -C -s radiusd_t -t ldap_port_t -c tcp_socket
Found 1 av rules:
   allow radiusd_t ldap_port_t : tcp_socket { recv_msg send_msg name_connect }; 


[root@rhel63 ~]# sesearch -A -C -s radiusd_t -t ldap_port_t -c tcp_socket
Found 5 semantic av rules:
   allow radiusd_t ldap_port_t : tcp_socket { recv_msg send_msg name_connect } ; 
   allow radiusd_t port_type : tcp_socket { recv_msg send_msg } ; 
DT allow radiusd_t reserved_port_type : tcp_socket name_connect ; [ allow_ypbind ]
DT allow radiusd_t rpc_port_type : tcp_socket name_bind ; [ allow_ypbind ]
DT allow radiusd_t port_type : tcp_socket { recv_msg send_msg } ; [ allow_ypbind ]

Comment 1 RHEL Program Management 2012-06-20 13:10:08 UTC

This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.

Comment 2 Miroslav Grepl 2012-06-28 12:12:52 UTC

It needs to be backported from RHEL6.

Comment 6 errata-xmlrpc 2013-01-08 03:32:07 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0060.html

Note You need to log in before you can comment on or make changes to this bug.