Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 161383 - SELinux blocks PostgreSQL ident authentication
Summary: SELinux blocks PostgreSQL ident authentication
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 4
Hardware: i686
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-06-22 19:23 UTC by Ian Pilcher
Modified: 2007-11-30 22:11 UTC (History)
2 users (show)

Fixed In Version: 1.23.18-16
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-06-25 20:03:33 UTC


Attachments (Terms of Use)

Description Ian Pilcher 2005-06-22 19:23:38 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050524 Fedora/1.0.4-4 Firefox/1.0.4

Description of problem:
See below

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.23.18-12

How reproducible:
Always

Steps to Reproduce:
1.  Create a Linux user account.  (My user ID is 'pilcher').        

2.  Connect to PostgreSQL as the superuser (postgres) and create a PostgreSQL
    database and user:

        CREATE USER pilcher NOCREATEDB NOCREATEUSER;
        CREATE DATABASE pilcher OWNER pilcher;

3.  Add the following line at the top of /var/lib/pgsql/data/pg_hba.conf:

        host    pilcher pilcher 127.0.0.1/32    ident   sameuser
        
3.  Restart PostgreSQL to make the changes effective:

        service postgresql restart

4.  Ensure that authd and xinetd are both installed and turned on.

5.  Turn off authd encryption (PostgreSQL doesn't support it).  Edit
    /etc/xinetd.d/auth and remove and '-E' option from the in.authd command
    line.

6.  Restart xinetd ('service xinetd restart').

7.  Logged on as Linux user 'pilcher', try to connect to the new database over
    the loopback adapter:

        psql -h localhost pilcher
  

Actual Results:  psql: FATAL:  Ident authentication failed for user "pilcher"

The following entries appear in /var/log/audit/audit.log:

type=SOCKETCALL msg=audit(1119466873.728:967800): nargs=3 a0=3 a1=9f51998 a2=10

type=SOCKADDR msg=audit(1119466873.728:967800): saddr=020000717F0000010000000000000000

type=SYSCALL msg=audit(1119466873.728:967800): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfd7de00 a2=bfd7ec44 a3=bfd7ec64 items=0 pid=2735 auid=4294967295 uid=26 gid=26 euid=26 suid=26 fsuid=26 egid=26 sgid=26 fsgid=26 comm="postmaster" exe="/usr/bin/postgres"

type=AVC msg=audit(1119466873.728:967800): avc:  denied  { name_connect } for  pid=2735 comm="postmaster" dest=113 scontext=system_u:system_r:postgresql_t tcontext=system_u:object_r:inetd_child_port_t tclass=tcp_socket

Expected Results:  Connection should have succeeded.  (SELinux should at least have allowed
PostgreSQL to connect to 127.0.0.1:113.)

Additional info:

Comment 1 Tom Lane 2005-06-23 18:15:36 UTC
It seems possible that bug #160975 is the same issue, although there is very
little info in that report.

Comment 2 Ian Pilcher 2005-06-23 19:35:15 UTC
See my comments in bug #160975.  I don't believe that it's the same issue.

Comment 3 Ian Pilcher 2005-06-25 20:03:33 UTC
Appears to be fixed in selinux-policy-targeted-1.23.18-16.

Comment 4 Andy Burns 2005-08-15 21:04:58 UTC
Problem still exists for me with elinux-policy-targeted 1.25.3-12

SELINUX is enabled, but no messages in audit.log

pgsql postgresq works OK with "ident sameuser" in pg_hba.conf
pgsql -h 127.0.0.1 fails 

Anything else I can report?



Comment 5 Andy Burns 2005-08-15 21:22:54 UTC
oops, my fault ...

I had a "-E" for AES-128-CBC encryption in the /etc/xinetd/auth file ...





Note You need to log in before you can comment on or make changes to this bug.