Bug 508348 - selinux policy blocks postgresql dblink_connect
selinux policy blocks postgresql dblink_connect
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.3
All Linux
low Severity medium
: rc
: ---
Assigned To: Daniel Walsh
BaseOS QE
:
Depends On:
Blocks: 5.4/TechnicalNotes
  Show dependency treegraph
 
Reported: 2009-06-26 13:04 EDT by Jeff Bastian
Modified: 2012-10-15 10:13 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Previously, SELinux was blocking the connection created by the dblink_connect functionality of PostgreSQL. With this update, selinux-policy has been updated to allow this connection.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-09-02 04:00:54 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jeff Bastian 2009-06-26 13:04:27 EDT
Description of problem:
When trying to use the dblink_connect functionality of PostgreSQL, SELinux blocks the connection.

PostgreSQL gives this error when SELinux is set to enforcing:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
testdb=> SELECT dblink_connect('hostaddr=127.0.0.1 dbname=testdb user=test password=test');
ERROR:  could not establish connection
DETAIL:  could not connect to server: Permission denied
        Is the server running on host "127.0.0.1" and accepting
        TCP/IP connections on port 5432?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

When SELinux is set to permissive, PostgreSQL does:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
testdb=> SELECT dblink_connect('hostaddr=127.0.0.1 dbname=testdb user=test password=test');
 dblink_connect
----------------
 OK
(1 row)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The /var/log/audit/audit.log contains this AVC error:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
type=AVC msg=audit(1246035068.454:44): avc:  denied  { name_connect } for  pid=2028 comm="postmaster" dest=5432 scontext=root:system_r:postgresql_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


It looks like this was fixed in Fedora Core 5 with bug 189764, but the problem has resurfaced in RHEL 5.


Version-Release number of selected component (if applicable):
postgresql-8.1.11-1.el5_1.1
selinux-policy-2.4.6-203.el5

How reproducible:
every time

Steps to Reproduce:
0. Install RHEL 5.3 with PostgreSQL packages

1. Enable PostgreSQL
     chkconfig postgresql on
     service postgresql start

2. Become the postgres user
     su - postgres

3. Create a PostgreSQL user 'test' and a database 'testdb'
     createuser -S -D -R test
     createdb testdb
     psql
       ALTER USER test WITH PASSWORD 'test';
       ALTER DATABASE testdb OWNER TO test;
       \q

4. Enable password authentication with PostgreSQL
     vi /var/lib/pgsql/data/pg_hba.conf
       # Insert these lines near the top of pg_hba.conf
       local   testdb      test                              md5
       host    testdb      test        127.0.0.1/32          md5
       host    testdb      test        ::1/128               md5
     pg_ctl reload

5. Create a table in the 'testdb' database
     psql -W -U test testdb
       CREATE TABLE test ( foo int, bar real, baz varchar(80) );
       \q

6. Enable dblink_connect functionality
     psql testdb < /usr/share/pgsql/contrib/dblink.sql

7. Try to use dblink_connect
     psql -W -U test testdb
     SELECT dblink_connect('hostaddr=127.0.0.1 dbname=testdb 
                            user=test password=test');


Actual results:
dblink_connect fails with:
ERROR:  could not establish connection
DETAIL:  could not connect to server: Permission denied
        Is the server running on host "127.0.0.1" and accepting
        TCP/IP connections on port 5432?


Expected results:
dblink_connect succeeds with:
 dblink_connect
----------------
 OK
(1 row)


Additional info:
Run 'setenforce 0' to switch SELinux to permissive mode and do step 7 again and it will succeed.
Comment 1 Jeff Bastian 2009-06-26 13:11:02 EDT
Output of 'audit2allow -R' on the AVC errors:


require {
        type postgresql_t;
}

#============= postgresql_t ==============
corenet_tcp_connect_postgresql_port(postgresql_t)
Comment 2 Jeff Bastian 2009-06-26 13:26:04 EDT
And indeed, compiling the rules in comment 1 into a module fixes the problem.

# cat dblink.te
policy_module(dblink,0.2)

require {
        type postgresql_t;
}

#============= postgresql_t ==============
corenet_tcp_connect_postgresql_port(postgresql_t)

# make
Compiling targeted dblink module
/usr/bin/checkmodule:  loading policy configuration from tmp/dblink.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 6) to tmp/dblink.mod
Creating targeted dblink.pp policy package
rm tmp/dblink.mod tmp/dblink.mod.fc

# semodule -i dblink.pp

...

testdb=> SELECT dblink_connect('hostaddr=127.0.0.1 dbname=testdb user=test password=test');
 dblink_connect
----------------
 OK
(1 row)
Comment 3 Daniel Walsh 2009-06-26 14:38:07 EDT
Fixed in selinux-policy-2.4.6-249.el5
Comment 12 Ryan Lerch 2009-08-11 00:09:09 EDT
Release note added. If any revisions are required, please set the 
"requires_release_notes" flag to "?" and edit the "Release Notes" field accordingly.
All revisions will be proofread by the Engineering Content Services team.

New Contents:
Previously, SELinux was blocking the connection created by the dblink_connect functionality of PostgreSQL. With this update, selinux-policy has been updated to allow this connection.
Comment 14 errata-xmlrpc 2009-09-02 04:00:54 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-1242.html

Note You need to log in before you can comment on or make changes to this bug.