Just in case others follow in my footsteps - this may prove to be
helpful.
Summary of problem: CentOS 4.4 - SELinux enabled - authorizing pam based
users
### Created file /etc/pam.d/postgresql (I'm using LDAP) [*]
# cat /etc/pam.d/postgresql
#%PAM-1.0
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session required pam_loginuid.so
### Set SELinux security contexts for this file....
# chcon -u system_u -r object_r /etc/pam.d/postgresql
### Already had installed rpm selinux-policy-targeted-sources
### You will need this package
###
### Added to file /etc/selinux/src/targeted/policy/domains/local.te
# cat /etc/selinux/targeted/src/policy/domains/local.te
# postgres/pam
allow postgresql_t self:netlink_audit_socket create;
allow postgresql_t self:netlink_audit_socket nlmsg_relay;
allow postgresql_t self:netlink_audit_socket read;
allow postgresql_t self:netlink_audit_socket write;
allow postgresql_t var_lib_t:file read;
### the last line of the changes to local.te were necessary only for
### postgresql user to be able to read /var/lib/pgsql/.ldaprc
###
### now load this new policy into selinux
# cd /etc/selinux/targeted/src/policy
# make reload
Now, I am able to log in as a user from LDAP - with the obvious
provisions that the user is a user in postgres (password not needed
since that is from LDAP), and pg_hba.conf is properly configured.
[*] Tom's suggestion for /etc/pam.d/postgresql file
#%PAM-1.0
auth required pam_stack.so service=system-auth
account required pam_stack.so service=system-auth
Thanks Tom/Alvaro
Craig
