Details
-
Type:
Bug
-
Status: Closed
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 5.5.42, 10.0
-
Fix Version/s: N/A
-
Component/s: Documentation, Plugin - pam
-
Environment:Centos 6.6 x86_64
Description
rpms involved
pam_ldap-185-11.el6.x86_64 pam_mysql-0.7-0.12.rc1.el6.x86_64 pam-1.1.1-20.el6.x86_64
MariaDB
MariaDB-compat-5.5.42-1.el6.x86_64 MariaDB-client-5.5.42-1.el6.x86_64 MariaDB-common-5.5.42-1.el6.x86_64 MariaDB-shared-5.5.42-1.el6.x86_64 MariaDB-server-5.5.42-1.el6.x86_64
I've created the user in MariaDB and loaded the auth module with
INSTALL SONAME 'auth_pam'; create user <myldapusername>@localhost IDENTIFIED VIA pam USING 'mariadb';
cat /etc/pam.d/mariadb #%PAM-1.0 auth sufficient pam_ldap.so debug account sufficient pam_ldap.so debug account sufficient pam_localuser.so
And a valid /etc/pam_ldap.conf
If I use setenforce Permissive all is well, I can log in as the user authenticated via the ldap AD.
If I use setenforce Enforcing I see
> mysqld: PAM audit_open() failed: Permission denied
I've verified that the selinux permissions on the /etc/pam.d/mariadb appear to be valid
Cheers
Jan.
Gliffy Diagrams
Attachments
Issue Links
- links to
Activity
- All
- Comments
- Work Log
- History
- Activity
- Transitions
Guys ... any news / updates on this ?
Cheers
Jan.
Elena Stepanova, where is that image? Is it your local one or somewhere where I can boot it?
It was a local one, under VM Virtual Box.
in your setup mysqld needs to access "netlink_audit_socket" and your default policy doesn't allow it. you need to enable that in your policy. The most helpful instruction that I've found was this one: CentOS * SELinux, PAM and MySQL. In short:
- Remove dontaudits from policy: semodule -DB
- Switch to permissive mode: setenforce Permissive
- login into MariaDB as this user
- create a policy: grep mysqld /var/log/audit/audit.log | audit2allow -M mariadb_pam; semodule -i mariadb_pam.pp
- restore: semodule -B; setenforce Enforcing
Documented in KB.
looks like RHEL might be coming out with a selinux update to fix this sometime: https://bugzilla.redhat.com/show_bug.cgi?id=1201413
Thanks! I've subscribed to it to know when it's fixed.
I can reproduce it.
At first I was getting these two SELinux errors:
type=AVC msg=audit(1425150589.083:31): avc: denied { create } for pid=2580 comm="mysqld" scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:mysqld_t:s0 tclass=netlink_audit_socket type=AVC msg=audit(1425152410.256:22): avc: denied { nlmsg_relay } for pid=2512 comm="mysqld" scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:mysqld_t:s0 tclass=netlink_audit_socketThen I added policies to allow this. It helped to get rid of the error messages, but now connection just fails with Enforcing without any trace in audit logs at all, and works with Permissive. I installed latest system upgrades, but it didn't help.
I also tried CentOS 7 to see if it works there, but couldn't get this far – it seems there was a bug related to PAM/LDAP, not to SELinux, and the fix hasn't been released yet. So, I didn't dig deep enough there, but at the first glance, if it weren't for that other bug, there would be the same problem with Enforcing/Permissive.
Sergei Golubchik,
I've stored an image were I set it up, so if you want me to try something else, I can do it easily enough. I'm just stuck not knowing what to look at next.