Details
-
Type:
Bug
-
Status: Closed
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 5.5.42, 10.0
-
Fix Version/s: N/A
-
Component/s: Documentation, Plugin - pam
-
Environment:Centos 6.6 x86_64
Description
rpms involved
pam_ldap-185-11.el6.x86_64 pam_mysql-0.7-0.12.rc1.el6.x86_64 pam-1.1.1-20.el6.x86_64
MariaDB
MariaDB-compat-5.5.42-1.el6.x86_64 MariaDB-client-5.5.42-1.el6.x86_64 MariaDB-common-5.5.42-1.el6.x86_64 MariaDB-shared-5.5.42-1.el6.x86_64 MariaDB-server-5.5.42-1.el6.x86_64
I've created the user in MariaDB and loaded the auth module with
INSTALL SONAME 'auth_pam'; create user <myldapusername>@localhost IDENTIFIED VIA pam USING 'mariadb';
cat /etc/pam.d/mariadb #%PAM-1.0 auth sufficient pam_ldap.so debug account sufficient pam_ldap.so debug account sufficient pam_localuser.so
And a valid /etc/pam_ldap.conf
If I use setenforce Permissive all is well, I can log in as the user authenticated via the ldap AD.
If I use setenforce Enforcing I see
> mysqld: PAM audit_open() failed: Permission denied
I've verified that the selinux permissions on the /etc/pam.d/mariadb appear to be valid
Cheers
Jan.
Gliffy Diagrams
Attachments
Issue Links
- links to
Activity
- All
- Comments
- Work Log
- History
- Activity
- Transitions
I can reproduce it.
At first I was getting these two SELinux errors:
type=AVC msg=audit(1425150589.083:31): avc: denied { create } for pid=2580 comm="mysqld" scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:mysqld_t:s0 tclass=netlink_audit_socket type=AVC msg=audit(1425152410.256:22): avc: denied { nlmsg_relay } for pid=2512 comm="mysqld" scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:mysqld_t:s0 tclass=netlink_audit_socketThen I added policies to allow this. It helped to get rid of the error messages, but now connection just fails with Enforcing without any trace in audit logs at all, and works with Permissive. I installed latest system upgrades, but it didn't help.
I also tried CentOS 7 to see if it works there, but couldn't get this far – it seems there was a bug related to PAM/LDAP, not to SELinux, and the fix hasn't been released yet. So, I didn't dig deep enough there, but at the first glance, if it weren't for that other bug, there would be the same problem with Enforcing/Permissive.
Sergei Golubchik,
I've stored an image were I set it up, so if you want me to try something else, I can do it easily enough. I'm just stuck not knowing what to look at next.