Re: postgres issues

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I should point out that I am still getting these errors
in /var/log/audit/audit.log after making the changes below to local.te

type=AVC msg=audit(1163170839.586:153524): avc:  denied  { write } for
pid=29409 comm="postmaster" scontext=root:system_r:postgresql_t
tcontext=root:syste
m_r:postgresql_t tclass=netlink_audit_socket

type=SYSCALL msg=audit(1163170839.586:153524): arch=40000003 syscall=102
success=no exit=-13 a0=b a1=bfec3f80 a2=a0eff4 a3=88 items=0 pid=29409
auid=0 uid=
26 gid=26 euid=26 suid=26 fsuid=26 egid=26 sgid=26 fsgid=26
comm="postmaster" exe="/usr/bin/postgres"

type=SOCKADDR msg=audit(1163170839.586:153524):
saddr=100000000000000000000000

type=SOCKETCALL msg=audit(1163170839.586:153524): nargs=6 a0=3
a1=bfec8220 a2=88 a3=0 a4=bfec8210 a5=c

the additions that I made to local.te were:

allow postgresql_t self:netlink_audit_socket create;
allow postgresql_t self:netlink_route_socket create;

Craig

On Thu, 2006-11-09 at 14:54 -0700, Craig White wrote:
> on CentOS 4.4 - trying to have postgres authenticate a user via pam via
> LDAP
> 
> ;-)
> 
> I do see in /var/log/audit/audit.log
> 
> type=AVC msg=audit(1163102102.393:151988): avc:  denied  { read } for
> pid=9424 comm="postmaster" name="ldaprc" dev=dm-0 ino=2864066
> scontext=root:system_r
> :postgresql_t tcontext=root:object_r:var_lib_t tclass=file
> type=SYSCALL msg=audit(1163102102.393:151988): arch=40000003 syscall=5
> success=no exit=-13 a0=8381848 a1=0 a2=1b6 a3=0 items=1 pid=9424 auid=0
> uid=26 gid=2
> 6 euid=26 suid=26 fsuid=26 egid=26 sgid=26 fsgid=26 comm="postmaster"
> exe="/usr/bin/postgres"
> type=CWD msg=audit(1163102102.393:151988):  cwd="/var/lib/pgsql"
> type=PATH msg=audit(1163102102.393:151988): name="/var/lib/pgsql/ldaprc"
> flags=101  inode=2864066 dev=fd:00 mode=0100644 ouid=26 ogid=26
> rdev=00:00
> type=AVC msg=audit(1163102102.395:151989): avc:  denied  { create } for
> pid=9424 comm="postmaster" scontext=root:system_r:postgresql_t
> tcontext=root:syste
> m_r:postgresql_t tclass=netlink_route_socket
> type=SYSCALL msg=audit(1163102102.395:151989): arch=40000003 syscall=102
> success=no exit=-13 a0=1 a1=bfecd3cc a2=892ff4 a3=bfece464 items=0
> pid=9424 auid=0
>  uid=26 gid=26 euid=26 suid=26 fsuid=26 egid=26 sgid=26 fsgid=26
> comm="postmaster" exe="/usr/bin/postgres"
> type=SOCKETCALL msg=audit(1163102102.395:151989): nargs=3 a0=10 a1=3
> a2=0
> type=AVC msg=audit(1163102102.449:151990): avc:  denied  { create } for
> pid=9424 comm="postmaster" scontext=root:system_r:postgresql_t
> tcontext=root:syste
> m_r:postgresql_t tclass=netlink_audit_socket
> type=SYSCALL msg=audit(1163102102.449:151990): arch=40000003 syscall=102
> success=no exit=-13 a0=1 a1=bfecc380 a2=a0eff4 a3=0 items=0 pid=9424
> auid=0 uid=26
>  gid=26 euid=26 suid=26 fsuid=26 egid=26 sgid=26 fsgid=26
> comm="postmaster" exe="/usr/bin/postgres"
> 
> SO this is what I did...
> 
> # audit2allow -i /var/log/audit/audit.log
> allow postgresql_t self:netlink_audit_socket create;
> allow postgresql_t self:netlink_route_socket create;
> allow postgresql_t var_lib_t:file read;
> 
> # audit2allow -i /var/log/audit/audit.log \
>  >> /etc/selinux/targeted/src/policy/domains/local.te
> 
> # cd /etc/selinux/targeted/src/policy/
> # make reload
> 
> but I am still being refused access per strace of process (forked from
> postmaster / postgres)
> 
> [pid 11494] connect(3, {sa_family=AF_INET, sin_port=htons(0),
> sin_addr=inet_addr("192.168.2.0")}, 16) = -1 EACCES (Permission denied)
> 
> [pid 11494] connect(3, {sa_family=AF_INET, sin_port=htons(0),
> sin_addr=inet_addr("255.255.255.255")}, 16) = -1 EACCES (Permission
> denied)
> 
> [pid 11494] connect(3, {sa_family=AF_INET, sin_port=htons(0),
> sin_addr=inet_addr("192.168.2.0")}, 16) = -1 EACCES (Permission denied)
> 
> What am I missing?
> 
> Thanks
> 
> Craig
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux