Bug 965041 - freeradius cannot connect to postgresql
freeradius cannot connect to postgresql
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.0
All Linux
medium Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-05-20 06:53 EDT by Patrik Kis
Modified: 2014-06-17 22:21 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-06-13 05:48:32 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Patrik Kis 2013-05-20 06:53:30 EDT
Description of problem:
raiudusd server cannot connect to postgresql socket on RHEL-7, but on RHEL-6 it is possible.

type=SYSCALL msg=audit(1368651809.211:10479): arch=c000003e syscall=42 success=no exit=-13 a0=4 a1=7f8d8fd4d600 a2=10 a3=7fff8adf2fe8 items=0 ppid=1 pid=26593 auid=4294967295 uid=0 gid=95 euid=95 suid=0 fsuid=95 egid=95 sgid=95 fsgid=95 ses=4294967295 tty=(none) comm="radiusd" exe="/usr/sbin/radiusd" subj=system_u:system_r:radiusd_t:s0 key=(null)
type=AVC msg=audit(1368651809.211:10479): avc:  denied  { name_connect } for  pid=26593 comm="radiusd" dest=5432 scontext=system_u:system_r:radiusd_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket

Version-Release number of selected component (if applicable):
selinux-policy-3.12.1-38.el7

How reproducible:
always

Steps to Reproduce:
1. Integrate freeradius with postgresql
2. Start radiusd
3. The following AVC denial is raised
type=SYSCALL msg=audit(1368651809.211:10479): arch=c000003e syscall=42 success=no exit=-13 a0=4 a1=7f8d8fd4d600 a2=10 a3=7fff8adf2fe8 items=0 ppid=1 pid=26593 auid=4294967295 uid=0 gid=95 euid=95 suid=0 fsuid=95 egid=95 sgid=95 fsgid=95 ses=4294967295 tty=(none) comm="radiusd" exe="/usr/sbin/radiusd" subj=system_u:system_r:radiusd_t:s0 key=(null)
type=AVC msg=audit(1368651809.211:10479): avc:  denied  { name_connect } for  pid=26593 comm="radiusd" dest=5432 scontext=system_u:system_r:radiusd_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket

Actual results:

RHEL-7:

0 [root@rhel7 ~ ]# rpm -q selinux-policy
selinux-policy-3.12.1-38.el7.noarch
0 [root@rhel7 ~ ]# sesearch -A -C -s radiusd_t -t postgresql_port_t -c tcp_socket
Found 2 semantic av rules:
   allow radiusd_t port_type : tcp_socket { recv_msg send_msg } ; 
DT allow nsswitch_domain port_type : tcp_socket { recv_msg send_msg } ; [ nis_enabled ]

Expected results:

RHEL-6:

[root@rhel6 ~]# rpm -q selinux-policy
selinux-policy-3.7.19-195.el6.noarch
[root@rhel6 ~]# sesearch -A -C -s radiusd_t -t postgresql_port_t -c tcp_socket
Found 3 semantic av rules:
   allow radiusd_t postgresql_port_t : tcp_socket name_connect ; 
   allow radiusd_t port_type : tcp_socket { recv_msg send_msg } ; 
DT allow radiusd_t port_type : tcp_socket { recv_msg send_msg } ; [ allow_ypbind ]
Comment 2 Miroslav Grepl 2013-05-22 03:12:37 EDT
Fixed in selinux-policy-3.12.1-46.el7
Comment 4 Ludek Smid 2014-06-13 05:48:32 EDT
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.