Last Modified: May 29, 2024
Affected Product(s):
F5OS F5OS
Fixed In:
F5OS-C 1.6.0, F5OS-A 1.7.0, F5OS-A 1.5.2
Opened: Jun 29, 2023 Severity: 3-Major
If remote authentication is configured to use TACACS+, users authenticated via TACACS+ cannot log in via the system serial console. SELinux errors in /var/log/audit/audit.log similar to the following: type=AVC msg=audit(1691528610.427:121): avc: denied { name_connect } for pid=13249 comm="login" dest=49 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket permissive=0
Only locally-defined users can log in to the system via serial console.
-- TACACS+ remote authentication. -- Attempting to log in to system via serial console.
Configure the SELinux policy to allow this traffic. On a VELOS chassis, these instructions must be run on each system controller separately. 1. Connect to the F5OS system via SSH as root. 2. Examine the SELinux audit denials and confirm all of them are associated with traffic that should be allowed: grep 'denied.*name_connect.*comm="login"' /var/log/audit/audit.log > /root/login-audit-denials.log cat /root/login-audit-denials.log Remove entries from the file /root/login-audit-denials.log that you do not want to allow. 3. After confirming the contents of the file /root/login-audit-denials.log, run the following commands to create and install an SELinux policy to allow that traffic: audit2allow -M login.allowtacacs < /root/login-audit-denials.log semodule -i login.allowtacacs.pp
A missing SELinux exception has been added. Users authenticated via TACACS+ are now able to log in via serial console without having to manually add the exception or turning off SELinux.