Description of problem: When trying to use the dblink_connect functionality of PostgreSQL, SELinux blocks the connection. PostgreSQL gives this error when SELinux is set to enforcing: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ testdb=> SELECT dblink_connect('hostaddr=127.0.0.1 dbname=testdb user=test password=test'); ERROR: could not establish connection DETAIL: could not connect to server: Permission denied Is the server running on host "127.0.0.1" and accepting TCP/IP connections on port 5432? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ When SELinux is set to permissive, PostgreSQL does: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ testdb=> SELECT dblink_connect('hostaddr=127.0.0.1 dbname=testdb user=test password=test'); dblink_connect ---------------- OK (1 row) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The /var/log/audit/audit.log contains this AVC error: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ type=AVC msg=audit(1246035068.454:44): avc: denied { name_connect } for pid=2028 comm="postmaster" dest=5432 scontext=root:system_r:postgresql_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ It looks like this was fixed in Fedora Core 5 with bug 189764, but the problem has resurfaced in RHEL 5. Version-Release number of selected component (if applicable): postgresql-8.1.11-1.el5_1.1 selinux-policy-2.4.6-203.el5 How reproducible: every time Steps to Reproduce: 0. Install RHEL 5.3 with PostgreSQL packages 1. Enable PostgreSQL chkconfig postgresql on service postgresql start 2. Become the postgres user su - postgres 3. Create a PostgreSQL user 'test' and a database 'testdb' createuser -S -D -R test createdb testdb psql ALTER USER test WITH PASSWORD 'test'; ALTER DATABASE testdb OWNER TO test; \q 4. Enable password authentication with PostgreSQL vi /var/lib/pgsql/data/pg_hba.conf # Insert these lines near the top of pg_hba.conf local testdb test md5 host testdb test 127.0.0.1/32 md5 host testdb test ::1/128 md5 pg_ctl reload 5. Create a table in the 'testdb' database psql -W -U test testdb CREATE TABLE test ( foo int, bar real, baz varchar(80) ); \q 6. Enable dblink_connect functionality psql testdb < /usr/share/pgsql/contrib/dblink.sql 7. Try to use dblink_connect psql -W -U test testdb SELECT dblink_connect('hostaddr=127.0.0.1 dbname=testdb user=test password=test'); Actual results: dblink_connect fails with: ERROR: could not establish connection DETAIL: could not connect to server: Permission denied Is the server running on host "127.0.0.1" and accepting TCP/IP connections on port 5432? Expected results: dblink_connect succeeds with: dblink_connect ---------------- OK (1 row) Additional info: Run 'setenforce 0' to switch SELinux to permissive mode and do step 7 again and it will succeed.
Output of 'audit2allow -R' on the AVC errors: require { type postgresql_t; } #============= postgresql_t ============== corenet_tcp_connect_postgresql_port(postgresql_t)
And indeed, compiling the rules in comment 1 into a module fixes the problem. # cat dblink.te policy_module(dblink,0.2) require { type postgresql_t; } #============= postgresql_t ============== corenet_tcp_connect_postgresql_port(postgresql_t) # make Compiling targeted dblink module /usr/bin/checkmodule: loading policy configuration from tmp/dblink.tmp /usr/bin/checkmodule: policy configuration loaded /usr/bin/checkmodule: writing binary representation (version 6) to tmp/dblink.mod Creating targeted dblink.pp policy package rm tmp/dblink.mod tmp/dblink.mod.fc # semodule -i dblink.pp ... testdb=> SELECT dblink_connect('hostaddr=127.0.0.1 dbname=testdb user=test password=test'); dblink_connect ---------------- OK (1 row)
Fixed in selinux-policy-2.4.6-249.el5
Release note added. If any revisions are required, please set the "requires_release_notes" flag to "?" and edit the "Release Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Previously, SELinux was blocking the connection created by the dblink_connect functionality of PostgreSQL. With this update, selinux-policy has been updated to allow this connection.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2009-1242.html