Bug 848158 - PostgreSQL SELinux policy lacks tunables akin to httpd_can_network_connect
PostgreSQL SELinux policy lacks tunables akin to httpd_can_network_connect
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
6.3
All Linux
unspecified Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-08-14 15:05 EDT by Dmitry S. Makovey
Modified: 2012-08-20 05:31 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-08-20 05:31:24 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Dmitry S. Makovey 2012-08-14 15:05:20 EDT
Description of problem:

Current postgreSQL startup scripts are flexible enough to be able to spin several instances of PostgreSQL DB on the same box. While no extra coding required for that to happen:

 $ cd /etc/init.d/; ln -s postgresql mypg
 $ su postgres -c 'mkdir /var/lib/pgsql/data.mypg'
 $ echo "PGPORT=9876;PGDATA=/var/lib/pgsql/data.mypg" > /etc/sysconfig/pgsql/mypg
 $ service mypg start

with SELinux on, one has to craft special module. For certain setups I would be beneficial to have tunable "postgres_alternative_ports" or something that would allow either range of the ports to be used by newly spawned postgreSQL instances or any port. 

Admitably this will only work for some cases where PostgreSQL is in "trusted" environment, in other cases custom policy would be a better route. 

Version-Release number of selected component (if applicable):

postgresql-8.4.12-1.el6_2.x86_64

How reproducible:

often

Steps to Reproduce:

1. $ cd /etc/init.d/; ln -s postgresql mypg
2. $ su postgres -c 'mkdir /var/lib/pgsql/data.mypg'
3. $ echo "PGPORT=9876;PGDATA=/var/lib/pgsql/data.mypg" > /etc/sysconfig/pgsql/mypg
4. $ service mypg start
  
Actual results:

SELinux denial of access. Requirement to build a policy module.

Expected results:

tweak of a tunable should allow successfull startup for the situations where security can be less strict

Additional info:

I have posted a bit more information in other bug ( if that is of any interest ) : bug #847357
Comment 2 Daniel Walsh 2012-08-15 06:29:12 EDT
Why wouldn't 

semanage port -a -t  postgresql_port_t -p tcp PORTNUM

Work for you?
Comment 3 Dmitry S. Makovey 2012-08-15 12:58:52 EDT
Thanks Dan,

that indeed is as concise as setting up a tunable, and worth documenting someplace (I mean for postgresql users - "actions to perform to spin up another instance"). I appologize for not noticing "semanage port" to begin with. 

Just for completeness sake - as Tom Lane made me realize /var/lib/pgsql/dataXX would need to be relabeled too... or easier alternative would be to set up /var/lib/pgsql/data/A1 /var/lib/pgsql/data/A2 for A1 and A2 instances of postgres - this way SELinux labeling is preserved. 

From my end it seems to be resolved, but maybe it's worth reassigning to documentation team to get all of the above reflected in current documentation?
Comment 4 Dmitry S. Makovey 2012-08-15 13:19:12 EDT
Just a note: audit2{allow,why} for situation in comment #1 where slightly misleading:

# echo "PGPORT=15432" > /etc/sysconfig/pgsql/postgresql 

# service postgresql start
Starting postgresql service:                               [FAILED]

# audit2allow < /var/log/audit/audit.log


#============= postgresql_t ==============
#!!!! This avc can be allowed using the boolean 'allow_ypbind'

allow postgresql_t port_t:tcp_socket name_bind;

# audit2why < /var/log/audit/audit.log
type=AVC msg=audit(1345051006.095:314): avc:  denied  { name_bind } for  pid=6053 comm="postmaster" src=15432 scontext=unconfined_u:system_r:postgresql_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket

        Was caused by:
        The boolean allow_ypbind was set incorrectly. 
        Description:
        Allow system to run with NIS

        Allow access by executing:
        # setsebool -P allow_ypbind 1
type=AVC msg=audit(1345051006.132:315): avc:  denied  { name_bind } for  pid=6053 comm="postmaster" src=15432 scontext=unconfined_u:system_r:postgresql_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket

        Was caused by:
        The boolean allow_ypbind was set incorrectly. 
        Description:
        Allow system to run with NIS

        Allow access by executing:
        # setsebool -P allow_ypbind 1
Comment 5 Daniel Walsh 2012-08-15 14:21:15 EDT
Yes we have more information in setroublshoot.

sealert -a /tmp/t
100% done'tuple' object has no attribute 'split'
100% donefound 1 alerts in /tmp/t
--------------------------------------------------------------------------------

SELinux is preventing postmaster from name_bind access on the tcp_socket .

*****  Plugin bind_ports (99.5 confidence) suggests  *************************

If you want to allow postmaster to bind to network port 15432
Then you need to modify the port type.
Do
# semanage port -a -t PORT_TYPE -p tcp 15432
    where PORT_TYPE is one of the following: postgresql_port_t.

*****  Plugin catchall (1.49 confidence) suggests  ***************************

If you believe that postmaster should be allowed name_bind access on the  tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep postmaster /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                unconfined_u:system_r:postgresql_t:s0
Target Context                system_u:object_r:port_t:s0
Target Objects                 [ tcp_socket ]
Source                        postmaster
Source Path                   postmaster
Port                          15432
Host                          <Unknown>
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.11.1-7.fc18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     celtics
Platform                      Linux celtics 3.6.0-0.rc1.git4.1.fc18.x86_64 #1
                              SMP Sun Aug 12 21:19:31 UTC 2012 x86_64 x86_64
Alert Count                   1
First Seen                    2012-08-15 13:16:46 EDT
Last Seen                     2012-08-15 13:16:46 EDT
Local ID                      9d7d6e66-4eec-44fd-827b-39c0a8b44be7

Raw Audit Messages
type=AVC msg=audit(1345051006.95:314): avc:  denied  { name_bind } for  pid=6053 comm="postmaster" src=15432 scontext=unconfined_u:system_r:postgresql_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket


Hash: postmaster,postgresql_t,port_t,tcp_socket,name_bind

audit2allow

#============= postgresql_t ==============
#!!!! This avc can be allowed using the boolean 'nis_enabled'

allow postgresql_t port_t:tcp_socket name_bind;

audit2allow -R

#============= postgresql_t ==============
#!!!! This avc can be allowed using the boolean 'nis_enabled'

allow postgresql_t port_t:tcp_socket name_bind;
Comment 6 Dmitry S. Makovey 2012-08-15 14:44:55 EDT
Thanks Dan, that is useful to know. Does that mean that one should depend more on sealert rather than audit2* tools alone? I do realize that there's inaccuracy involved and it can't be 100% accurate, but I am looking for the best path of troubleshooting it in the future.
Comment 7 Daniel Walsh 2012-08-15 15:17:52 EDT
setroubleshoot/sealert is smarter the audit2allow. (It actually uses audit2allow, but has a richer database.)

Slowly but surely we will be moving some of sealert smarts into audit2allow.
Comment 8 Tom Lane 2012-08-15 15:42:05 EDT
(In reply to comment #3)
> From my end it seems to be resolved, but maybe it's worth reassigning to
> documentation team to get all of the above reflected in current
> documentation?

I'll see about capturing some of this knowledge in the postgresql RPM's README, at least.  I'm not sure if there is anyplace where more formal documentation should go.

In the meantime, this seems like NOTABUG for the selinux-policy crew.
Comment 9 Dmitry S. Makovey 2012-08-15 16:54:19 EDT
works for me. Thanks.
Comment 10 Tom Lane 2012-08-17 12:38:48 EDT
I've added the following text to the README.rpm-dist doc file for postgresql:

If you are running SELinux in enforcing mode (which is highly recommended,
particularly for network-exposed services like PostgreSQL) you will need to
adjust SELinux policy to allow the postmaster to use non-default PGPORT or
PGDATA settings.  To allow use of a non-default port, say 5433, do this
as root:
	semanage port -a -t postgresql_port_t -p tcp 5433
To allow use of a non-default data directory, say /special/pgdata, do:
	semanage fcontext -a -t postgresql_db_t "/special/pgdata(/.*)?"
If you already created the directory, follow that with:
	restorecon -R /special/pgdata
These settings are persistent across reboots.  For more information
see "man semanage".

Note You need to log in before you can comment on or make changes to this bug.