Bug 1097831
| Summary: | selinux policy for postgresql-pgpoolAdmin | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Jozef Mlich <jmlich> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED EOL | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 22 | CC: | dominick.grift, dwalsh, hhorak, lvrabec, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-07-19 11:30:53 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Jozef Mlich
2014-05-14 15:51:27 UTC
Why would this tool be writing to a /usr/ directory? /usr should be treated as Read/Only. Thanks Daniel for explanation. I have updated postgresql-pgpoolAdmin package to use /var/run/ as a read/write folder.
I think the selinux policy for this package still needs to be updated.
The pgpoolAdmin is running via httpd and it calling php function exec('pcp_node_count'), etc. . I think it is using network socket 9898 to read data from pgpool. Additionally, it may use also 5432 to read data directly from postgresql.
Here is attached short part of /var/log/audit/audit.log related to the problem.
type=AVC msg=audit(1420634129.475:134): avc: denied { name_connect } for pid=2912 comm="pcp_node_count" dest=9898 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0
type=AVC msg=audit(1420634130.434:136): avc: denied { name_connect } for pid=2917 comm="pcp_node_info" dest=9898 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0
Actual results:
$ setenforce 1
$ firefox http://localhost/pgpoolAdmin/status.php
Error Code e1002
Error Message pcp_node_count command error occurred.
Expected results:
$ setenforce 1
$ firefox http://localhost/pgpoolAdmin/status.php
node 0 localhost 5432 Up. Connected.
Please let me know if I can provide some additional information. Please tell me also if is the problem somewhere in package and give me a hint how to fix it.
Port 9898 looks like posgresql uses this port for You could turn on the httpd_can_network_connect boolean to allow this. setsebool -P httpd_can_network_connect 1 2ea1c5d40462afa14841640f00b219803d19bc81 defines this port as a postgresql port. You could define this your self # semanage port -a -t posgresql_port_t -p tcp 9898 Then you would turn on the httpd_can_network_connect_db boolean, which would tighten up the security. This bug appears to have been reported against 'rawhide' during the Fedora 22 development cycle. Changing version to '22'. More information and reason for this action is here: https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora22 Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed. |