useradd failure under ldap with tls
Chaos Golubitsky
chaos-selinux at glassonion.org
Mon Jun 18 18:30:48 UTC 2007
When i manage user data via LDAP (using pam_ldap), useradd/usermod/etc
fail when run from scripts. In particular, e.g.
# yum install httpd
fails because the "useradd apache" commands hangs.
Audit2allow suggests:
allow useradd_t urandom_device_t:chr_file { getattr read };
If i modify my LDAP configuration so that connections are not encrypted
using TLS, the useradd succeeds.
I think that, when LDAP is in use, anyone who needs to query the passwd
or group map [1] should be able to read /dev/urandom so they can initiate
TLS LDAP connections. But i don't know enough about the layout of the
SELinux policy to speculate on whether the problem is that:
(a) The PAM/LDAP client policy is ignorant of TLS
(b) The useradd/etc policy is ignorant of LDAP
(c) Something else
Any suggestions would be appreciated. I have "solved" this for my own
purposes the hackish way (i.e. by doing what audit2allow recommends, as
a standalone module), but i'd like to be able to recommend a real patch.
Thanks.
Chaos
[1] The useradd/usermod/etc commands need to query passwd maps in order
to fail with an error if a central user conflicts with the user being
created.
More information about the fedora-selinux-list
mailing list