Bug 1344056

Summary: SELinux prevents collectd from connecting to PostgreSQL UNIX socket
Product: Red Hat Enterprise Linux 7 Reporter: Dustin C. Hatch <dustin>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.2CC: lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-80.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-04 02:31:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dustin C. Hatch 2016-06-08 15:43:06 UTC 
Description of problem:
The collectd-postgresql plugin cannot connect to a locally-running PostgreSQL instance via UNIX socket because of this AVC denial:

type=AVC msg=audit(1465396307.731:4222): avc:  denied  { write } for  pid=20104 comm="collectd" name=".s.PGSQL.5432" dev="tmpfs" ino=36537 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:postgresql_var_run_t:s0 tclass=sock_file

Version-Release number of selected component (if applicable):
collectd-5.5.1-3.el7.x86_64
collectd-postgresql-5.5.1-3.el7.x86_64
selinux-policy-3.13.1-60.el7_2.3.noarch
selinux-policy-targeted-3.13.1-60.el7_2.3.noarch

How reproducible:
Always

Steps to Reproduce:
1. Install collectd and collectd-postgresql (from EPEL)
2. Add <Plugin postgresql> and <Database {name}>  entries to collectd.conf, using a filesystem directory for Host, e.g.

LoadPlugin postgresql
<Plugin postgresql>
    <Database postgres>
        Host "/run/postgresql"
        User postgres
    </Database>
</Plugin>
3. Start collectd and observe an error like this in syslog

Jun  8 14:31:47 fmosng-56d3ff collectd[20094]: Failed to connect to database postgres (postgres): could not connect to server: Permission denied#012#011Is the server running locally and accepting#012#011connections on Unix domain socket "/run/postgresql/.s.PGSQL.5432"?


Actual results:
collectd is unable to connect to the database instance

Expected results:
collectd should be able to connect to the database instance


Additional info:
The following policy modification resolves the issue:

policy_module(collectdlocal, 1.0.0)

gen_require(`
	type collectd_t;
')

optional_policy(`
	postgresql_stream_connect(collectd_t)
')
Comment 5 errata-xmlrpc 2016-11-04 02:31:33 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2283.html