Bug 848158
Summary: | PostgreSQL SELinux policy lacks tunables akin to httpd_can_network_connect | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Dmitry S. Makovey <dmitry> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED NOTABUG | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
Severity: | medium | Docs Contact: | |
Priority: | unspecified | ||
Version: | 6.3 | CC: | dwalsh, mmalik, tgl |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-08-20 09:31:24 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Dmitry S. Makovey
2012-08-14 19:05:20 UTC
Why wouldn't semanage port -a -t postgresql_port_t -p tcp PORTNUM Work for you? Thanks Dan, that indeed is as concise as setting up a tunable, and worth documenting someplace (I mean for postgresql users - "actions to perform to spin up another instance"). I appologize for not noticing "semanage port" to begin with. Just for completeness sake - as Tom Lane made me realize /var/lib/pgsql/dataXX would need to be relabeled too... or easier alternative would be to set up /var/lib/pgsql/data/A1 /var/lib/pgsql/data/A2 for A1 and A2 instances of postgres - this way SELinux labeling is preserved. From my end it seems to be resolved, but maybe it's worth reassigning to documentation team to get all of the above reflected in current documentation? Just a note: audit2{allow,why} for situation in comment #1 where slightly misleading: # echo "PGPORT=15432" > /etc/sysconfig/pgsql/postgresql # service postgresql start Starting postgresql service: [FAILED] # audit2allow < /var/log/audit/audit.log #============= postgresql_t ============== #!!!! This avc can be allowed using the boolean 'allow_ypbind' allow postgresql_t port_t:tcp_socket name_bind; # audit2why < /var/log/audit/audit.log type=AVC msg=audit(1345051006.095:314): avc: denied { name_bind } for pid=6053 comm="postmaster" src=15432 scontext=unconfined_u:system_r:postgresql_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket Was caused by: The boolean allow_ypbind was set incorrectly. Description: Allow system to run with NIS Allow access by executing: # setsebool -P allow_ypbind 1 type=AVC msg=audit(1345051006.132:315): avc: denied { name_bind } for pid=6053 comm="postmaster" src=15432 scontext=unconfined_u:system_r:postgresql_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket Was caused by: The boolean allow_ypbind was set incorrectly. Description: Allow system to run with NIS Allow access by executing: # setsebool -P allow_ypbind 1 Yes we have more information in setroublshoot. sealert -a /tmp/t 100% done'tuple' object has no attribute 'split' 100% donefound 1 alerts in /tmp/t -------------------------------------------------------------------------------- SELinux is preventing postmaster from name_bind access on the tcp_socket . ***** Plugin bind_ports (99.5 confidence) suggests ************************* If you want to allow postmaster to bind to network port 15432 Then you need to modify the port type. Do # semanage port -a -t PORT_TYPE -p tcp 15432 where PORT_TYPE is one of the following: postgresql_port_t. ***** Plugin catchall (1.49 confidence) suggests *************************** If you believe that postmaster should be allowed name_bind access on the tcp_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep postmaster /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:system_r:postgresql_t:s0 Target Context system_u:object_r:port_t:s0 Target Objects [ tcp_socket ] Source postmaster Source Path postmaster Port 15432 Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.11.1-7.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name celtics Platform Linux celtics 3.6.0-0.rc1.git4.1.fc18.x86_64 #1 SMP Sun Aug 12 21:19:31 UTC 2012 x86_64 x86_64 Alert Count 1 First Seen 2012-08-15 13:16:46 EDT Last Seen 2012-08-15 13:16:46 EDT Local ID 9d7d6e66-4eec-44fd-827b-39c0a8b44be7 Raw Audit Messages type=AVC msg=audit(1345051006.95:314): avc: denied { name_bind } for pid=6053 comm="postmaster" src=15432 scontext=unconfined_u:system_r:postgresql_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket Hash: postmaster,postgresql_t,port_t,tcp_socket,name_bind audit2allow #============= postgresql_t ============== #!!!! This avc can be allowed using the boolean 'nis_enabled' allow postgresql_t port_t:tcp_socket name_bind; audit2allow -R #============= postgresql_t ============== #!!!! This avc can be allowed using the boolean 'nis_enabled' allow postgresql_t port_t:tcp_socket name_bind; Thanks Dan, that is useful to know. Does that mean that one should depend more on sealert rather than audit2* tools alone? I do realize that there's inaccuracy involved and it can't be 100% accurate, but I am looking for the best path of troubleshooting it in the future. setroubleshoot/sealert is smarter the audit2allow. (It actually uses audit2allow, but has a richer database.) Slowly but surely we will be moving some of sealert smarts into audit2allow. (In reply to comment #3) > From my end it seems to be resolved, but maybe it's worth reassigning to > documentation team to get all of the above reflected in current > documentation? I'll see about capturing some of this knowledge in the postgresql RPM's README, at least. I'm not sure if there is anyplace where more formal documentation should go. In the meantime, this seems like NOTABUG for the selinux-policy crew. works for me. Thanks. I've added the following text to the README.rpm-dist doc file for postgresql: If you are running SELinux in enforcing mode (which is highly recommended, particularly for network-exposed services like PostgreSQL) you will need to adjust SELinux policy to allow the postmaster to use non-default PGPORT or PGDATA settings. To allow use of a non-default port, say 5433, do this as root: semanage port -a -t postgresql_port_t -p tcp 5433 To allow use of a non-default data directory, say /special/pgdata, do: semanage fcontext -a -t postgresql_db_t "/special/pgdata(/.*)?" If you already created the directory, follow that with: restorecon -R /special/pgdata These settings are persistent across reboots. For more information see "man semanage". |