Bug 508348
| Summary: | selinux policy blocks postgresql dblink_connect | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | Jeff Bastian <jbastian> |
| Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED ERRATA | QA Contact: | BaseOS QE <qe-baseos-auto> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 5.3 | CC: | cward, mmalik, ohudlick, rlerch, syeghiay, tao |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
Previously, SELinux was blocking the connection created by the dblink_connect functionality of PostgreSQL. With this update, selinux-policy has been updated to allow this connection.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2009-09-02 08:00:54 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 513501 | ||
Output of 'audit2allow -R' on the AVC errors:
require {
type postgresql_t;
}
#============= postgresql_t ==============
corenet_tcp_connect_postgresql_port(postgresql_t)
And indeed, compiling the rules in comment 1 into a module fixes the problem. # cat dblink.te policy_module(dblink,0.2) require { type postgresql_t; } #============= postgresql_t ============== corenet_tcp_connect_postgresql_port(postgresql_t) # make Compiling targeted dblink module /usr/bin/checkmodule: loading policy configuration from tmp/dblink.tmp /usr/bin/checkmodule: policy configuration loaded /usr/bin/checkmodule: writing binary representation (version 6) to tmp/dblink.mod Creating targeted dblink.pp policy package rm tmp/dblink.mod tmp/dblink.mod.fc # semodule -i dblink.pp ... testdb=> SELECT dblink_connect('hostaddr=127.0.0.1 dbname=testdb user=test password=test'); dblink_connect ---------------- OK (1 row) Fixed in selinux-policy-2.4.6-249.el5 Release note added. If any revisions are required, please set the "requires_release_notes" flag to "?" and edit the "Release Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Previously, SELinux was blocking the connection created by the dblink_connect functionality of PostgreSQL. With this update, selinux-policy has been updated to allow this connection. An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2009-1242.html |
Description of problem: When trying to use the dblink_connect functionality of PostgreSQL, SELinux blocks the connection. PostgreSQL gives this error when SELinux is set to enforcing: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ testdb=> SELECT dblink_connect('hostaddr=127.0.0.1 dbname=testdb user=test password=test'); ERROR: could not establish connection DETAIL: could not connect to server: Permission denied Is the server running on host "127.0.0.1" and accepting TCP/IP connections on port 5432? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ When SELinux is set to permissive, PostgreSQL does: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ testdb=> SELECT dblink_connect('hostaddr=127.0.0.1 dbname=testdb user=test password=test'); dblink_connect ---------------- OK (1 row) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The /var/log/audit/audit.log contains this AVC error: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ type=AVC msg=audit(1246035068.454:44): avc: denied { name_connect } for pid=2028 comm="postmaster" dest=5432 scontext=root:system_r:postgresql_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ It looks like this was fixed in Fedora Core 5 with bug 189764, but the problem has resurfaced in RHEL 5. Version-Release number of selected component (if applicable): postgresql-8.1.11-1.el5_1.1 selinux-policy-2.4.6-203.el5 How reproducible: every time Steps to Reproduce: 0. Install RHEL 5.3 with PostgreSQL packages 1. Enable PostgreSQL chkconfig postgresql on service postgresql start 2. Become the postgres user su - postgres 3. Create a PostgreSQL user 'test' and a database 'testdb' createuser -S -D -R test createdb testdb psql ALTER USER test WITH PASSWORD 'test'; ALTER DATABASE testdb OWNER TO test; \q 4. Enable password authentication with PostgreSQL vi /var/lib/pgsql/data/pg_hba.conf # Insert these lines near the top of pg_hba.conf local testdb test md5 host testdb test 127.0.0.1/32 md5 host testdb test ::1/128 md5 pg_ctl reload 5. Create a table in the 'testdb' database psql -W -U test testdb CREATE TABLE test ( foo int, bar real, baz varchar(80) ); \q 6. Enable dblink_connect functionality psql testdb < /usr/share/pgsql/contrib/dblink.sql 7. Try to use dblink_connect psql -W -U test testdb SELECT dblink_connect('hostaddr=127.0.0.1 dbname=testdb user=test password=test'); Actual results: dblink_connect fails with: ERROR: could not establish connection DETAIL: could not connect to server: Permission denied Is the server running on host "127.0.0.1" and accepting TCP/IP connections on port 5432? Expected results: dblink_connect succeeds with: dblink_connect ---------------- OK (1 row) Additional info: Run 'setenforce 0' to switch SELinux to permissive mode and do step 7 again and it will succeed.