useradd failure under ldap with tls

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



When i manage user data via LDAP (using pam_ldap), useradd/usermod/etc
fail when run from scripts.  In particular, e.g.

  # yum install httpd

fails because the "useradd apache" commands hangs.

Audit2allow suggests:

  allow useradd_t urandom_device_t:chr_file { getattr read };

If i modify my LDAP configuration so that connections are not encrypted
using TLS, the useradd succeeds.


I think that, when LDAP is in use, anyone who needs to query the passwd
or group map [1] should be able to read /dev/urandom so they can initiate
TLS LDAP connections.  But i don't know enough about the layout of the
SELinux policy to speculate on whether the problem is that:
(a) The PAM/LDAP client policy is ignorant of TLS
(b) The useradd/etc policy is ignorant of LDAP
(c) Something else

Any suggestions would be appreciated.  I have "solved" this for my own
purposes the hackish way (i.e. by doing what audit2allow recommends, as
a standalone module), but i'd like to be able to recommend a real patch.

Thanks.

Chaos

[1] The useradd/usermod/etc commands need to query passwd maps in order
to fail with an error if a central user conflicts with the user being
created.

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux