postgres issues
Craig White
craigwhite at azapple.com
Fri Nov 10 15:03:49 UTC 2006
I should point out that I am still getting these errors
in /var/log/audit/audit.log after making the changes below to local.te
type=AVC msg=audit(1163170839.586:153524): avc: denied { write } for
pid=29409 comm="postmaster" scontext=root:system_r:postgresql_t
tcontext=root:syste
m_r:postgresql_t tclass=netlink_audit_socket
type=SYSCALL msg=audit(1163170839.586:153524): arch=40000003 syscall=102
success=no exit=-13 a0=b a1=bfec3f80 a2=a0eff4 a3=88 items=0 pid=29409
auid=0 uid=
26 gid=26 euid=26 suid=26 fsuid=26 egid=26 sgid=26 fsgid=26
comm="postmaster" exe="/usr/bin/postgres"
type=SOCKADDR msg=audit(1163170839.586:153524):
saddr=100000000000000000000000
type=SOCKETCALL msg=audit(1163170839.586:153524): nargs=6 a0=3
a1=bfec8220 a2=88 a3=0 a4=bfec8210 a5=c
the additions that I made to local.te were:
allow postgresql_t self:netlink_audit_socket create;
allow postgresql_t self:netlink_route_socket create;
Craig
On Thu, 2006-11-09 at 14:54 -0700, Craig White wrote:
> on CentOS 4.4 - trying to have postgres authenticate a user via pam via
> LDAP
>
> ;-)
>
> I do see in /var/log/audit/audit.log
>
> type=AVC msg=audit(1163102102.393:151988): avc: denied { read } for
> pid=9424 comm="postmaster" name="ldaprc" dev=dm-0 ino=2864066
> scontext=root:system_r
> :postgresql_t tcontext=root:object_r:var_lib_t tclass=file
> type=SYSCALL msg=audit(1163102102.393:151988): arch=40000003 syscall=5
> success=no exit=-13 a0=8381848 a1=0 a2=1b6 a3=0 items=1 pid=9424 auid=0
> uid=26 gid=2
> 6 euid=26 suid=26 fsuid=26 egid=26 sgid=26 fsgid=26 comm="postmaster"
> exe="/usr/bin/postgres"
> type=CWD msg=audit(1163102102.393:151988): cwd="/var/lib/pgsql"
> type=PATH msg=audit(1163102102.393:151988): name="/var/lib/pgsql/ldaprc"
> flags=101 inode=2864066 dev=fd:00 mode=0100644 ouid=26 ogid=26
> rdev=00:00
> type=AVC msg=audit(1163102102.395:151989): avc: denied { create } for
> pid=9424 comm="postmaster" scontext=root:system_r:postgresql_t
> tcontext=root:syste
> m_r:postgresql_t tclass=netlink_route_socket
> type=SYSCALL msg=audit(1163102102.395:151989): arch=40000003 syscall=102
> success=no exit=-13 a0=1 a1=bfecd3cc a2=892ff4 a3=bfece464 items=0
> pid=9424 auid=0
> uid=26 gid=26 euid=26 suid=26 fsuid=26 egid=26 sgid=26 fsgid=26
> comm="postmaster" exe="/usr/bin/postgres"
> type=SOCKETCALL msg=audit(1163102102.395:151989): nargs=3 a0=10 a1=3
> a2=0
> type=AVC msg=audit(1163102102.449:151990): avc: denied { create } for
> pid=9424 comm="postmaster" scontext=root:system_r:postgresql_t
> tcontext=root:syste
> m_r:postgresql_t tclass=netlink_audit_socket
> type=SYSCALL msg=audit(1163102102.449:151990): arch=40000003 syscall=102
> success=no exit=-13 a0=1 a1=bfecc380 a2=a0eff4 a3=0 items=0 pid=9424
> auid=0 uid=26
> gid=26 euid=26 suid=26 fsuid=26 egid=26 sgid=26 fsgid=26
> comm="postmaster" exe="/usr/bin/postgres"
>
> SO this is what I did...
>
> # audit2allow -i /var/log/audit/audit.log
> allow postgresql_t self:netlink_audit_socket create;
> allow postgresql_t self:netlink_route_socket create;
> allow postgresql_t var_lib_t:file read;
>
> # audit2allow -i /var/log/audit/audit.log \
> >> /etc/selinux/targeted/src/policy/domains/local.te
>
> # cd /etc/selinux/targeted/src/policy/
> # make reload
>
> but I am still being refused access per strace of process (forked from
> postmaster / postgres)
>
> [pid 11494] connect(3, {sa_family=AF_INET, sin_port=htons(0),
> sin_addr=inet_addr("192.168.2.0")}, 16) = -1 EACCES (Permission denied)
>
> [pid 11494] connect(3, {sa_family=AF_INET, sin_port=htons(0),
> sin_addr=inet_addr("255.255.255.255")}, 16) = -1 EACCES (Permission
> denied)
>
> [pid 11494] connect(3, {sa_family=AF_INET, sin_port=htons(0),
> sin_addr=inet_addr("192.168.2.0")}, 16) = -1 EACCES (Permission denied)
>
> What am I missing?
>
> Thanks
>
> Craig
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
More information about the fedora-selinux-list
mailing list