Bug ID 1315149: Users authenticated via TACACS+ cannot log in via serial console

Last Modified: Aug 01, 2024

Affected Product(s):
F5OS F5OS(all modules)

Fixed In:
F5OS-C 1.6.0, F5OS-A 1.7.0, F5OS-A 1.5.2

Opened: Jun 29, 2023

Severity: 3-Major

Symptoms

If remote authentication is configured to use TACACS+, users authenticated via TACACS+ cannot log in via the system serial console. SELinux errors in /var/log/audit/audit.log similar to the following: type=AVC msg=audit(1691528610.427:121): avc: denied { name_connect } for pid=13249 comm="login" dest=49 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket permissive=0

Impact

Only locally-defined users can log in to the system via serial console.

Conditions

-- TACACS+ remote authentication. -- Attempting to log in to system via serial console.

Workaround

Configure the SELinux policy to allow this traffic. On a VELOS chassis, these instructions must be run on each system controller separately. 1. Connect to the F5OS system via SSH as root. 2. Examine the SELinux audit denials and confirm all of them are associated with traffic that should be allowed: grep 'denied.*name_connect.*comm="login"' /var/log/audit/audit.log > /root/login-audit-denials.log cat /root/login-audit-denials.log Remove entries from the file /root/login-audit-denials.log that you do not want to allow. 3. After confirming the contents of the file /root/login-audit-denials.log, run the following commands to create and install an SELinux policy to allow that traffic: audit2allow -M login.allowtacacs < /root/login-audit-denials.log semodule -i login.allowtacacs.pp

Fix Information

A missing SELinux exception has been added. Users authenticated via TACACS+ are now able to log in via serial console without having to manually add the exception or turning off SELinux.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips