Bug 519475 - SELinux prevents PostgreSQL from using PAM and Winbind
Summary: SELinux prevents PostgreSQL from using PAM and Winbind
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 10
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Ben Levenson
Depends On:
TreeView+ depends on / blocked
Reported: 2009-08-26 18:30 UTC by Matthew X. Economou
Modified: 2009-11-18 13:04 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2009-11-18 13:04:52 UTC

Attachments (Terms of Use)

Description Matthew X. Economou 2009-08-26 18:30:46 UTC
Description of problem:

My Fedora 10-based PostgreSQL database server has joined an Active Directory (Windows Server 2003) domain, using pam_winbind/nss_winbind and configured through Fedora's authconfig wizard.  I want to configure PostgreSQL to authenticate a particular database role using the corresponding AD domain user account, via PAM.  After creating the role and its database (see below for step-by-step instructions), I could not log into the database with this account.  PostgreSQL did not log any authentication error messages, but by chance I noticed the following entry in the audit log:

type=AVC msg=audit(1251253382.223:5326): avc:  denied  { create } for  pid=17786 comm=postmaster scontext=unconfined_u:system_r:postgresql_t:s0 tcontext=unconfined_u:system_r:postgresql_t:s0 tclass=netlink_audit_socket

I used "audit2allow" (per http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) to generate a local policy module that overrode this denial.  Testing still resulted in authentication failures, but I saw a different audit log entry:

type=AVC msg=audit(1251306056.861:5486): avc:  denied  { write } for  pid=17308 comm=postmaster scontext=unconfined_u:system_r:postgresql_t:s0 tcontext=unconfined_u:system_r:postgresql_t:s0 tclass=netlink_audit_socket

Again, I re-ran audit2allow (now with the above two audit log entries), PAM authentication to the database still failed to work, and I saw a different audit log entry:

type=AVC msg=audit(1251306404.31:5504): avc:  denied  { nlmsg_relay } for  pid=17713 comm=postmaster scontext=unconfined_u:system_r:postgresql_t:s0 tcontext=unconfined_u:system_r:postgresql_t:s0 tclass=netlink_audit_socket

And again:

type=AVC msg=audit(1251306861.650:5516): avc:  denied  { read } for  pid=18152 comm=postmaster scontext=unconfined_u:system_r:postgresql_t:s0 tcontext=unconfined_u:system_r:postgresql_t:s0 tclass=netlink_audit_socket

Finally, with the following local policy module, I can use PAM/winbind to authenticate to a PostgreSQL role:

    module localpostgresql 1.0;

    require {
            type postgresql_t;
            class netlink_audit_socket { write nlmsg_relay create read };

    #============= postgresql_t ==============
    allow postgresql_t self:netlink_audit_socket { write nlmsg_relay create read };

Version-Release number of selected component (if applicable):


How reproducible:

I'm not sure how many people authenticate PostgreSQL database roles against a Windows domain via PAM and Winbind, but I encounter the above AVC denials every time I try this particular combination.

I happen to be using SSL encryption on my database connections, but I don't think that has any bearing on this issue.  I mention it here only to describe my configuration completely.

Steps to Reproduce:
0. Assume a default install of Fedora 10 that has been joined to an Active Directory domain, but where "/etc/samba/smb.conf" has been edited such that "winbind use default domain" has been changed from "false" (Fedora's default) to "true" (so that domain user names are not prefixed with the NetBIOS domain name).
1. Add the PostgreSQL database server role to a computer running Fedora 10.
	yum -y groupinstall "PostgreSQL Database"
2. Install additional PostgreSQL support packages and documentation.
	yum -y install postgresql-contrib postgresql-docs
3. Initialize the database.
	service postgresql initdb
4. Create a self-signed X.509 RSA key pair for use with SSL encryption of database connections using commands similar to the following.  Change the X.509 subject "/DC=com/DC=example/DC=int/CN=loc-ex-sql-01.int.example.com" and database server hostname "loc-ex-sql-01.int.example.com" to reflect the database server's actual hostname and parent Active Directory LDAP name.
	openssl req -new -nodes -subj "/DC=com/DC=example/DC=int/CN=loc-ex-sql-01.int.example.com" \
	  -out /var/lib/pgsql/data/server.req -keyout /var/lib/pgsql/data/server.key
	openssl req -x509 -in /var/lib/pgsql/data/server.req -text -key /var/lib/pgsql/data/server.key \
	  -out /var/lib/pgsql/data/server.crt
	chown postgres:postgres /var/lib/pgsql/data/server.*
	chmod 0600 /var/lib/pgsql/data/server.*
5. Enable SSL encryption of database connections.
	sed -i'' -e 's/#ssl = off/ssl = on/' /var/lib/pgsql/data/postgresql.conf
6. Reconfigure PostgreSQL to listen on all interfaces (allows connections from other computers, as the database and application servers are separate in my environment).
	sed -i'' -e "s/#listen_addresses = 'localhost'/listen_addresses = '*'  /" \
7. Enable PostgreSQL and start the database manager.
	chkconfig postgresql on
	service postgresql start
8. Note the audit log entry "setroubleshoot: SELinux is preventing postmaster (postgresql_t) "append" to /var/lib/pgsql/pgstartup.log (var_lib_t)" and restore the original SELinux label on the above log file (not sure but could be an error on my part).
	restorecon '/var/lib/pgsql/pgstartup.log'
9. Configure PostgreSQL to allow the "domainuser" service account to access the "test" database from one of the application servers by editing the file /var/lib/pgsql/data/pg_hba.conf. would be the IPv4 address of the application server.  "domainuser" is an Active Directory user account.
	ed /var/lib/pgsql/data/pg_hba.conf
	hostssl test domainuser pam postgresql
10. Add the "domainuser" PostgreSQL database role (which corresponds to the "domainuser" user account).
	sudo -u postgres createuser -S -D -R -l -i domainuser
11. Create the "test" PostgreSQL database and give the "domainuser" role ownership of it.
	sudo -u postgres createdb --owner=domainuser test
12. Restart the database server to make certain that these configuration changes take effect.
	service postgresql restart
13. From the application server, attempt to connect to the "test" database using the "domainuser" account (requires the "postgresql" package be installed, which contains the "psql" command). would be the IPv4 address of the database server.  Enter the account's password when prompted.
	psql -h -U domainuser -d test
Actual results:

psql: FATAL:  PAM authentication failed for user "domainuser"

Expected results:

Welcome to psql 8.3.7, the PostgreSQL interactive terminal.

Type:  \copyright for distribution terms
       \h for help with SQL commands
       \? for help with psql commands
       \g or terminate with semicolon to execute query
       \q to quit

SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256)


Additional info:

I can provide a more detailed server build log if necessary.  In my case, I was specifically configuring PostgreSQL as a database back-end for Sqlgrey.

Comment 1 Daniel Walsh 2009-08-26 18:58:34 UTC
Miroslav could you add

logging_send_audit_msgs(postgresql_t) to F10 and F11

Comment 2 Miroslav Grepl 2009-09-03 15:24:23 UTC
Fixed in selinux-policy-3.5.13-71.fc10

Comment 3 Bug Zapper 2009-11-18 12:13:09 UTC
This message is a reminder that Fedora 10 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 10.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '10'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 10's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 10 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 

Comment 4 Daniel Walsh 2009-11-18 13:04:52 UTC
Closing as closed in the current release.

Note You need to log in before you can comment on or make changes to this bug.