From Bugzilla Helper: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7 Description of problem: PostgreSQL's PAM authentication does not work under the SELinux targeted policy. The problem seems to be because postmaster can't run /sbin/unix_chkpwd. I do not believe this was a problem prior to RHEL4U2. Version-Release number of selected component (if applicable): selinux-policy-targeted-1.17.30-2.110.noarch, postgresql-7.4.8-1.RHEL4.1.i386 How reproducible: Always Steps to Reproduce: 1. Enable the targeted SELinux policy, and configure it to protect the postgresql service. 2. Configure Postgres for PAM authentication. 3. Try to connect to Postgres. Actual Results: "Access denied." Expected Results: Successful login. Additional info: Full audit logs: Oct 25 11:07:40 dbserver kernel: audit(1130252860.602:91): avc: denied { create } for pid=27053 comm="postmaster" scontext=root:system_r:postgresql_t tcontext=root:system_r:postgresql_t tclass=netlink_route_socket Oct 25 11:07:40 dbserver kernel: audit(1130252860.606:92): avc: denied { read } for pid=27053 comm="postmaster" name="cert.pem" dev=dm-0 ino=3424499 scontext=root:system_r:postgresql_t tcontext=system_u:object_r:usr_t tclass=lnk_file Oct 25 11:07:40 dbserver kernel: audit(1130252860.647:93): avc: denied { execute } for pid=27054 comm="postmaster" name="unix_chkpwd" dev=dm-0 ino=704658 scontext=root:system_r:postgresql_t tcontext=system_u:object_r:sbin_t tclass=file Oct 25 11:07:40 dbserver postgresql(pam_unix)[27053]: authentication failure; logname= uid=26 euid=26 tty= ruser= rhost= user=josh Oct 25 11:07:40 dbserver kernel: audit(1130252860.648:94): avc: denied { create } for pid=27053 comm="postmaster" scontext=root:system_r:postgresql_t tcontext=root:system_r:postgresql_t tclass=netlink_route_socket Oct 25 11:07:40 dbserver kernel: audit(1130252860.650:95): avc: denied { read } for pid=27053 comm="postmaster" name="cert.pem" dev=dm-0 ino=3424499 scontext=root:system_r:postgresql_t tcontext=system_u:object_r:usr_t tclass=lnk_file Oct 25 11:07:40 dbserver kernel: audit(1130252860.686:96): avc: denied { create } for pid=27053 comm="postmaster" scontext=root:system_r:postgresql_t tcontext=root:system_r:postgresql_t tclass=netlink_audit_socket Oct 25 11:07:40 dbserver josh testdb dbclient.jbc.edu authentication[27053]: PAM audit_open() failed: Permission denied Oct 25 11:07:40 dbserver kernel: audit(1130252860.772:97): avc: denied { create } for pid=27055 comm="postmaster" scontext=root:system_r:postgresql_t tcontext=root:system_r:postgresql_t tclass=netlink_route_socket Oct 25 11:07:40 dbserver kernel: audit(1130252860.776:98): avc: denied { read } for pid=27055 comm="postmaster" name="cert.pem" dev=dm-0 ino=3424499 scontext=root:system_r:postgresql_t tcontext=system_u:object_r:usr_t tclass=lnk_file Oct 25 11:07:40 dbserver kernel: audit(1130252860.839:99): avc: denied { execute } for pid=27056 comm="postmaster" name="unix_chkpwd" dev=dm-0 ino=704658 scontext=root:system_r:postgresql_t tcontext=system_u:object_r:sbin_t tclass=file Oct 25 11:07:40 dbserver postgresql(pam_unix)[27055]: authentication failure; logname= uid=26 euid=26 tty= ruser= rhost= user=josh Oct 25 11:07:40 dbserver kernel: audit(1130252860.840:100): avc: denied { create } for pid=27055 comm="postmaster" scontext=root:system_r:postgresql_t tcontext=root:system_r:postgresql_t tclass=netlink_route_socket Oct 25 11:07:40 dbserver kernel: audit(1130252860.842:101): avc: denied { read } for pid=27055 comm="postmaster" name="cert.pem" dev=dm-0 ino=3424499 scontext=root:system_r:postgresql_t tcontext=system_u:object_r:usr_t tclass=lnk_file Oct 25 11:07:40 dbserver kernel: audit(1130252860.878:102): avc: denied { create } for pid=27055 comm="postmaster" scontext=root:system_r:postgresql_t tcontext=root:system_r:postgresql_t tclass=netlink_audit_socket Oct 25 11:07:40 dbserver josh testdb dbclient.jbc.edu authentication[27055]: PAM audit_open() failed: Permission denied
I think the best option here is to disable trans for postgresql. I was not even aware that postgres could do this. I can set this up in Rawhide and RHEL5 to allow a boolean, but in RHEl4 this would be very difficult. setsebool -P postgresql_disable_trans=1 Dan
Okay, I'll stick with that fix for now. Thanks.