Description of problem: My Fedora 10-based PostgreSQL database server has joined an Active Directory (Windows Server 2003) domain, using pam_winbind/nss_winbind and configured through Fedora's authconfig wizard. I want to configure PostgreSQL to authenticate a particular database role using the corresponding AD domain user account, via PAM. After creating the role and its database (see below for step-by-step instructions), I could not log into the database with this account. PostgreSQL did not log any authentication error messages, but by chance I noticed the following entry in the audit log: type=AVC msg=audit(1251253382.223:5326): avc: denied { create } for pid=17786 comm=postmaster scontext=unconfined_u:system_r:postgresql_t:s0 tcontext=unconfined_u:system_r:postgresql_t:s0 tclass=netlink_audit_socket I used "audit2allow" (per http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) to generate a local policy module that overrode this denial. Testing still resulted in authentication failures, but I saw a different audit log entry: type=AVC msg=audit(1251306056.861:5486): avc: denied { write } for pid=17308 comm=postmaster scontext=unconfined_u:system_r:postgresql_t:s0 tcontext=unconfined_u:system_r:postgresql_t:s0 tclass=netlink_audit_socket Again, I re-ran audit2allow (now with the above two audit log entries), PAM authentication to the database still failed to work, and I saw a different audit log entry: type=AVC msg=audit(1251306404.31:5504): avc: denied { nlmsg_relay } for pid=17713 comm=postmaster scontext=unconfined_u:system_r:postgresql_t:s0 tcontext=unconfined_u:system_r:postgresql_t:s0 tclass=netlink_audit_socket And again: type=AVC msg=audit(1251306861.650:5516): avc: denied { read } for pid=18152 comm=postmaster scontext=unconfined_u:system_r:postgresql_t:s0 tcontext=unconfined_u:system_r:postgresql_t:s0 tclass=netlink_audit_socket Finally, with the following local policy module, I can use PAM/winbind to authenticate to a PostgreSQL role: module localpostgresql 1.0; require { type postgresql_t; class netlink_audit_socket { write nlmsg_relay create read }; } #============= postgresql_t ============== allow postgresql_t self:netlink_audit_socket { write nlmsg_relay create read }; Version-Release number of selected component (if applicable): selinux-policy-3.5.13-65.fc10.noarch selinux-policy-targeted-3.5.13-65.fc10.noarch postgresql-server-8.3.7-1.fc10.i386 How reproducible: I'm not sure how many people authenticate PostgreSQL database roles against a Windows domain via PAM and Winbind, but I encounter the above AVC denials every time I try this particular combination. I happen to be using SSL encryption on my database connections, but I don't think that has any bearing on this issue. I mention it here only to describe my configuration completely. Steps to Reproduce: 0. Assume a default install of Fedora 10 that has been joined to an Active Directory domain, but where "/etc/samba/smb.conf" has been edited such that "winbind use default domain" has been changed from "false" (Fedora's default) to "true" (so that domain user names are not prefixed with the NetBIOS domain name). 1. Add the PostgreSQL database server role to a computer running Fedora 10. yum -y groupinstall "PostgreSQL Database" 2. Install additional PostgreSQL support packages and documentation. yum -y install postgresql-contrib postgresql-docs 3. Initialize the database. service postgresql initdb 4. Create a self-signed X.509 RSA key pair for use with SSL encryption of database connections using commands similar to the following. Change the X.509 subject "/DC=com/DC=example/DC=int/CN=loc-ex-sql-01.int.example.com" and database server hostname "loc-ex-sql-01.int.example.com" to reflect the database server's actual hostname and parent Active Directory LDAP name. openssl req -new -nodes -subj "/DC=com/DC=example/DC=int/CN=loc-ex-sql-01.int.example.com" \ -out /var/lib/pgsql/data/server.req -keyout /var/lib/pgsql/data/server.key openssl req -x509 -in /var/lib/pgsql/data/server.req -text -key /var/lib/pgsql/data/server.key \ -out /var/lib/pgsql/data/server.crt chown postgres:postgres /var/lib/pgsql/data/server.* chmod 0600 /var/lib/pgsql/data/server.* 5. Enable SSL encryption of database connections. sed -i'' -e 's/#ssl = off/ssl = on/' /var/lib/pgsql/data/postgresql.conf 6. Reconfigure PostgreSQL to listen on all interfaces (allows connections from other computers, as the database and application servers are separate in my environment). sed -i'' -e "s/#listen_addresses = 'localhost'/listen_addresses = '*' /" \ /var/lib/pgsql/data/postgresql.conf 7. Enable PostgreSQL and start the database manager. chkconfig postgresql on service postgresql start 8. Note the audit log entry "setroubleshoot: SELinux is preventing postmaster (postgresql_t) "append" to /var/lib/pgsql/pgstartup.log (var_lib_t)" and restore the original SELinux label on the above log file (not sure but could be an error on my part). restorecon '/var/lib/pgsql/pgstartup.log' 9. Configure PostgreSQL to allow the "domainuser" service account to access the "test" database from one of the application servers by editing the file /var/lib/pgsql/data/pg_hba.conf. 192.0.2.100 would be the IPv4 address of the application server. "domainuser" is an Active Directory user account. ed /var/lib/pgsql/data/pg_hba.conf a hostssl test domainuser 192.0.2.100/32 pam postgresql . w q 10. Add the "domainuser" PostgreSQL database role (which corresponds to the "domainuser" user account). sudo -u postgres createuser -S -D -R -l -i domainuser 11. Create the "test" PostgreSQL database and give the "domainuser" role ownership of it. sudo -u postgres createdb --owner=domainuser test 12. Restart the database server to make certain that these configuration changes take effect. service postgresql restart 13. From the application server, attempt to connect to the "test" database using the "domainuser" account (requires the "postgresql" package be installed, which contains the "psql" command). 192.0.2.101 would be the IPv4 address of the database server. Enter the account's password when prompted. psql -h 192.0.2.101 -U domainuser -d test Actual results: psql: FATAL: PAM authentication failed for user "domainuser" Expected results: Welcome to psql 8.3.7, the PostgreSQL interactive terminal. Type: \copyright for distribution terms \h for help with SQL commands \? for help with psql commands \g or terminate with semicolon to execute query \q to quit SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256) test=> Additional info: I can provide a more detailed server build log if necessary. In my case, I was specifically configuring PostgreSQL as a database back-end for Sqlgrey.
Miroslav could you add logging_send_audit_msgs(postgresql_t) to F10 and F11
Fixed in selinux-policy-3.5.13-71.fc10
This message is a reminder that Fedora 10 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 10. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '10'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 10's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 10 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Closing as closed in the current release.