[MDEV-7637] MariaDB 5.5 + pam + ldap + selinux Created: 2015-02-26  Updated: 2015-04-28  Resolved: 2015-04-27

Status: Closed
Project: MariaDB Server
Component/s: Documentation, Plugin - pam
Affects Version/s: 5.5.42, 10.0
Fix Version/s: N/A

Type: Bug Priority: Major
Reporter: Jan Eringa Assignee: Sergei Golubchik
Resolution: Fixed Votes: 0
Labels: ldap, pam, selinux, verified
Environment:

Centos 6.6 x86_64


 Description   

rpms involved

pam_ldap-185-11.el6.x86_64
 
pam_mysql-0.7-0.12.rc1.el6.x86_64
 
pam-1.1.1-20.el6.x86_64

MariaDB

MariaDB-compat-5.5.42-1.el6.x86_64
 
MariaDB-client-5.5.42-1.el6.x86_64
 
MariaDB-common-5.5.42-1.el6.x86_64
 
MariaDB-shared-5.5.42-1.el6.x86_64
 
MariaDB-server-5.5.42-1.el6.x86_64

I've created the user in MariaDB and loaded the auth module with

INSTALL SONAME 'auth_pam';
 
create user <myldapusername>@localhost IDENTIFIED VIA pam USING 'mariadb';
 

cat /etc/pam.d/mariadb
 
#%PAM-1.0
 
auth          sufficient    pam_ldap.so debug
 
account     sufficient    pam_ldap.so debug
 
account     sufficient    pam_localuser.so

And a valid /etc/pam_ldap.conf

If I use setenforce Permissive all is well, I can log in as the user authenticated via the ldap AD.
If I use setenforce Enforcing I see
> mysqld: PAM audit_open() failed: Permission denied

I've verified that the selinux permissions on the /etc/pam.d/mariadb appear to be valid

Cheers

Jan.

 Comments   
Comment by Elena Stepanova [ 2015-03-01 ]

I can reproduce it.
At first I was getting these two SELinux errors:

type=AVC msg=audit(1425150589.083:31): avc:  denied  { create } for  pid=2580 comm="mysqld" scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:mysqld_t:s0 tclass=netlink_audit_socket
 
type=AVC msg=audit(1425152410.256:22): avc:  denied  { nlmsg_relay } for  pid=2512 comm="mysqld" scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:mysqld_t:s0 tclass=netlink_audit_socket

Then I added policies to allow this. It helped to get rid of the error messages, but now connection just fails with Enforcing without any trace in audit logs at all, and works with Permissive. I installed latest system upgrades, but it didn't help.

I also tried CentOS 7 to see if it works there, but couldn't get this far – it seems there was a bug related to PAM/LDAP, not to SELinux, and the fix hasn't been released yet. So, I didn't dig deep enough there, but at the first glance, if it weren't for that other bug, there would be the same problem with Enforcing/Permissive.

serg,
I've stored an image were I set it up, so if you want me to try something else, I can do it easily enough. I'm just stuck not knowing what to look at next.

Comment by Jan Eringa [ 2015-03-12 ]

Guys ... any news / updates on this ?

Cheers

Jan.

Comment by Sergei Golubchik [ 2015-03-12 ]

Not yet. Please wait till the next 5.5 release

Comment by Sergei Golubchik [ 2015-04-27 ]

elenst, where is that image? Is it your local one or somewhere where I can boot it?

Comment by Elena Stepanova [ 2015-04-27 ]

It was a local one, under VM Virtual Box.

Comment by Sergei Golubchik [ 2015-04-27 ]

in your setup mysqld needs to access "netlink_audit_socket" and your default policy doesn't allow it. you need to enable that in your policy. The most helpful instruction that I've found was this one: CentOS * SELinux, PAM and MySQL. In short:

  • Remove dontaudits from policy: semodule -DB
  • Switch to permissive mode: setenforce Permissive
  • login into MariaDB as this user
  • create a policy: grep mysqld /var/log/audit/audit.log | audit2allow -M mariadb_pam; semodule -i mariadb_pam.pp
  • restore: semodule -B; setenforce Enforcing
Comment by Sergei Golubchik [ 2015-04-27 ]

Documented in KB.

Comment by Daniel Black [ 2015-04-28 ]

looks like RHEL might be coming out with a selinux update to fix this sometime: https://bugzilla.redhat.com/show_bug.cgi?id=1201413

Comment by Sergei Golubchik [ 2015-04-28 ]

Thanks! I've subscribed to it to know when it's fixed.

Generated at Thu Feb 08 07:21:07 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.