postgres issues

Craig White craigwhite at azapple.com
Thu Nov 9 21:54:31 UTC 2006 

on CentOS 4.4 - trying to have postgres authenticate a user via pam via
LDAP

;-)

I do see in /var/log/audit/audit.log

type=AVC msg=audit(1163102102.393:151988): avc:  denied  { read } for
pid=9424 comm="postmaster" name="ldaprc" dev=dm-0 ino=2864066
scontext=root:system_r
:postgresql_t tcontext=root:object_r:var_lib_t tclass=file
type=SYSCALL msg=audit(1163102102.393:151988): arch=40000003 syscall=5
success=no exit=-13 a0=8381848 a1=0 a2=1b6 a3=0 items=1 pid=9424 auid=0
uid=26 gid=2
6 euid=26 suid=26 fsuid=26 egid=26 sgid=26 fsgid=26 comm="postmaster"
exe="/usr/bin/postgres"
type=CWD msg=audit(1163102102.393:151988):  cwd="/var/lib/pgsql"
type=PATH msg=audit(1163102102.393:151988): name="/var/lib/pgsql/ldaprc"
flags=101  inode=2864066 dev=fd:00 mode=0100644 ouid=26 ogid=26
rdev=00:00
type=AVC msg=audit(1163102102.395:151989): avc:  denied  { create } for
pid=9424 comm="postmaster" scontext=root:system_r:postgresql_t
tcontext=root:syste
m_r:postgresql_t tclass=netlink_route_socket
type=SYSCALL msg=audit(1163102102.395:151989): arch=40000003 syscall=102
success=no exit=-13 a0=1 a1=bfecd3cc a2=892ff4 a3=bfece464 items=0
pid=9424 auid=0
 uid=26 gid=26 euid=26 suid=26 fsuid=26 egid=26 sgid=26 fsgid=26
comm="postmaster" exe="/usr/bin/postgres"
type=SOCKETCALL msg=audit(1163102102.395:151989): nargs=3 a0=10 a1=3
a2=0
type=AVC msg=audit(1163102102.449:151990): avc:  denied  { create } for
pid=9424 comm="postmaster" scontext=root:system_r:postgresql_t
tcontext=root:syste
m_r:postgresql_t tclass=netlink_audit_socket
type=SYSCALL msg=audit(1163102102.449:151990): arch=40000003 syscall=102
success=no exit=-13 a0=1 a1=bfecc380 a2=a0eff4 a3=0 items=0 pid=9424
auid=0 uid=26
 gid=26 euid=26 suid=26 fsuid=26 egid=26 sgid=26 fsgid=26
comm="postmaster" exe="/usr/bin/postgres"

SO this is what I did...

# audit2allow -i /var/log/audit/audit.log
allow postgresql_t self:netlink_audit_socket create;
allow postgresql_t self:netlink_route_socket create;
allow postgresql_t var_lib_t:file read;

# audit2allow -i /var/log/audit/audit.log \
 >> /etc/selinux/targeted/src/policy/domains/local.te

# cd /etc/selinux/targeted/src/policy/
# make reload

but I am still being refused access per strace of process (forked from
postmaster / postgres)

[pid 11494] connect(3, {sa_family=AF_INET, sin_port=htons(0),
sin_addr=inet_addr("192.168.2.0")}, 16) = -1 EACCES (Permission denied)

[pid 11494] connect(3, {sa_family=AF_INET, sin_port=htons(0),
sin_addr=inet_addr("255.255.255.255")}, 16) = -1 EACCES (Permission
denied)

[pid 11494] connect(3, {sa_family=AF_INET, sin_port=htons(0),
sin_addr=inet_addr("192.168.2.0")}, 16) = -1 EACCES (Permission denied)

What am I missing?

Thanks

Craig

More information about the fedora-selinux-list mailing list