Bug 833843 – freeadius2 cannot connect to postgresql due to AVC denial

Bug 833843 - freeadius2 cannot connect to postgresql due to AVC denial

Summary:	freeadius2 cannot connect to postgresql due to AVC denial

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	selinux-policy (Show other bugs)
Sub Component:
Version:	5.8
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	rc
Target Release:	---
Assigned To:	Miroslav Grepl
QA Contact:	Milos Malik
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2012-06-20 09:07 EDT by Patrik Kis
Modified:	2013-01-07 22:32 EST (History)
CC List:	3 users (show)

See Also:
Fixed In Version:	selinux-policy-2.4.6-328.el5
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2013-01-07 22:32:07 EST
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Patrik Kis 2012-06-20 09:07:18 EDT

Description of problem:
ANC denial prevents freeradius2 communicate with postgresql on RHEL5, while on RHEL6 it is working out of the box.

Version-Release number of selected component (if applicable):
# rpm -q freeradius2 postgresql selinux-policy
freeradius2-2.1.12-3.el5
postgresql-8.1.23-1.el5_7.3
selinux-policy-2.4.6-327.el5

How reproducible:
always

Steps to Reproduce:
1. run test /CoreOS/freeradius/Sanity/postgresql-auth-test
2. When radiusd start the following AVC appears and the test fails:
type=AVC msg=audit(1340196443.406:1177): avc:  denied  { name_connect } for  pid=22893 comm="radiusd" dest=5432 scontext=root:system_r:radiusd_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket
  
Actual results:
AVC denial

Expected results:
no AVC denial

Additional info:
It seems there are missing policies on RHEL5.
This test was newer launched on RHEL5; it was only now made ready for RHEL5 that's the reason why this error was hidden so far.

[root@rhel58 ~]# sesearch -A -C -s radiusd_t -t ldap_port_t -c tcp_socket
Found 1 av rules:
   allow radiusd_t ldap_port_t : tcp_socket { recv_msg send_msg name_connect }; 


[root@rhel63 ~]# sesearch -A -C -s radiusd_t -t ldap_port_t -c tcp_socket
Found 5 semantic av rules:
   allow radiusd_t ldap_port_t : tcp_socket { recv_msg send_msg name_connect } ; 
   allow radiusd_t port_type : tcp_socket { recv_msg send_msg } ; 
DT allow radiusd_t reserved_port_type : tcp_socket name_connect ; [ allow_ypbind ]
DT allow radiusd_t rpc_port_type : tcp_socket name_bind ; [ allow_ypbind ]
DT allow radiusd_t port_type : tcp_socket { recv_msg send_msg } ; [ allow_ypbind ]

Comment 1 RHEL Product and Program Management 2012-06-20 09:10:08 EDT

This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.

Comment 2 Miroslav Grepl 2012-06-28 08:12:52 EDT

It needs to be backported from RHEL6.

Comment 6 errata-xmlrpc 2013-01-07 22:32:07 EST

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0060.html

Note You need to log in before you can comment on or make changes to this bug.