[Engine-devel] SELinux problem

Daniel J Walsh dwalsh at redhat.com
Mon Jun 17 21:15:09 UTC 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/17/2013 03:17 PM, Eli Mesika wrote:
> 
> 
> ----- Original Message -----
>> From: "Daniel J Walsh" <dwalsh at redhat.com> To: "Eli Mesika"
>> <emesika at redhat.com> Cc: "Yair Zaslavsky" <yzaslavs at redhat.com>, "Barak
>> Azulay" <bazulay at redhat.com>, "engine-devel" <engine-devel at ovirt.org> 
>> Sent: Monday, June 17, 2013 6:51:23 PM Subject: Re: SELinux problem
>> 
> On 06/17/2013 08:49 AM, Eli Mesika wrote:
>>>> Hi
>>>> 
>>>> I am using SELinux Enforcing mode on Fedora 18 
>>>> (selinux-policy-3.11.1-97.fc18.noarch)
>>>> 
>>>> As part as our Postgres DB restore we have to
>>>> 
>>>> 1) Open a postgres backup packed as a TAR file 2) Restore the
>>>> database from those files after unpacking with tar xvf.
>>>> 
>>>> I have found that I get a Permission Denied when trying to restore
>>>> the database data files. After investigation , I had found that
>>>> running : setenforce 0 the restore completes with no errors. Further
>>>> investigation shows that when I am extracting the TAR file , I have
>>>> to set the same SELinux context as in /var/lib/pgsql/data directory ,
>>>> i.e. unconfined_u:object_r:postgresql_db_t:s0
>>>> 
>>>> I had tried to do that with chcon :
>>>> 
>>>> chcon -u unconfined_u -r object_r -t postgresql_db_t <file>
>>>> 
>>>> This was failed (also when running with root privileges) and
>>>> audit2why --all shows a lot of those errors :
>>>> 
>>>> type=AVC msg=audit(1371464569.023:671): avc:  denied  { relabelto }
>>>> for pid=18144 comm="chcon" name="toc.dat" dev="tmpfs" ino=117639 
>>>> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 
>>>> tcontext=system_u:system_r:postgresql_t:s0 tclass=file Was caused
>>>> by: Missing type enforcement (TE) allow rule.
>>>> 
>>>> You can use audit2allow to generate a loadable module to allow this 
>>>> access.
>>>> 
>>>> 
>>>> After goggling around that , I found an article by you:
>>>> 
>>>> https://docs.fedoraproject.org/en-US/Fedora/11/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow.html
>>>>
>>>>
>>>> 
It says : "Missing Type Enforcement rules are usually caused by bugs in
>>>> SELinux policy, and should be reported in Red Hat Bugzilla. For
>>>> Fedora, create bugs against the Fedora product, and select the
>>>> selinux-policy component. Include the output of the audit2allow -w -a
>>>> and audit2allow -a commands in such bug reports. "
>>>> 
>>>> Should I open a BZ on that ?
>>>> 
>>>> The TAR I am using is attached. (I am opening it with tar xvf and
>>>> trying to change the context to desired context as explained above)
>>>> 
>>>> Thanks
>>>> 
>>>> Eli
>>>> 
>>>> 
>>>> 
>>>> 
> Just untar the files and run restorecon -R on them
> 
> restorecon -R PATH
> 
>> Thanks for the quick response I had tried it and nothing happen , same
>> results So I had tried with  -RVVF flags and got  the following
> 
>> restorecon:  Warning no default label for
>> /tmp/db/00579652_221211073824_pgdump.tar_dir/3622.dat
> 
>> ( this appears on each file of the extracted files )
> 
>> So, it seems that the pg_dump did not set the correct SELinux defaults on
>> those file when packaging them , right ?
> 
>> Any workaround to get out of that...
> 
>> Thanks again
> 
>> Eli
> 
> 
> 
> 
> SHould put the default labels on the content.
>> 

Why are you storing your postgresql database on a /tmp directory?

If you put it in the normal places, it would have worked.

If you must have it there then you need to label it with

chcon -Rt postgresql_db_t /tmp/db

Will change the label to be useable by postgresql.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlG/fF0ACgkQrlYvE4MpobPoXwCfeKhb+JEJX1l/xL/RbavAOjwf
mwMAoOAhh/m3cifg3ktXF9oAkpHLLlZB
=4S5u
-----END PGP SIGNATURE-----

More information about the Devel mailing list