----- Original Message -----
From: "Daniel J Walsh" <dwalsh(a)redhat.com>
To: "Eli Mesika" <emesika(a)redhat.com>
Cc: "Yair Zaslavsky" <yzaslavs(a)redhat.com>, "Barak Azulay"
<bazulay(a)redhat.com>, "engine-devel"
<engine-devel(a)ovirt.org>
Sent: Monday, June 17, 2013 6:51:23 PM
Subject: Re: SELinux problem
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 06/17/2013 08:49 AM, Eli Mesika wrote:
> Hi
>
> I am using SELinux Enforcing mode on Fedora 18
> (selinux-policy-3.11.1-97.fc18.noarch)
>
> As part as our Postgres DB restore we have to
>
> 1) Open a postgres backup packed as a TAR file 2) Restore the database from
> those files after unpacking with tar xvf.
>
> I have found that I get a Permission Denied when trying to restore the
> database data files. After investigation , I had found that running :
> setenforce 0 the restore completes with no errors. Further investigation
> shows that when I am extracting the TAR file , I have to set the same
> SELinux context as in /var/lib/pgsql/data directory , i.e.
> unconfined_u:object_r:postgresql_db_t:s0
>
> I had tried to do that with chcon :
>
> chcon -u unconfined_u -r object_r -t postgresql_db_t <file>
>
> This was failed (also when running with root privileges) and audit2why
> --all shows a lot of those errors :
>
> type=AVC msg=audit(1371464569.023:671): avc: denied { relabelto } for
> pid=18144 comm="chcon" name="toc.dat" dev="tmpfs"
ino=117639
> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:postgresql_t:s0 tclass=file Was caused by:
> Missing type enforcement (TE) allow rule.
>
> You can use audit2allow to generate a loadable module to allow this
> access.
>
>
> After goggling around that , I found an article by you:
>
>
https://docs.fedoraproject.org/en-US/Fedora/11/html/Security-Enhanced_Lin...
>
> It says : "Missing Type Enforcement rules are usually caused by bugs in
> SELinux policy, and should be reported in Red Hat Bugzilla. For Fedora,
> create bugs against the Fedora product, and select the selinux-policy
> component. Include the output of the audit2allow -w -a and audit2allow -a
> commands in such bug reports. "
>
> Should I open a BZ on that ?
>
> The TAR I am using is attached. (I am opening it with tar xvf and trying to
> change the context to desired context as explained above)
>
> Thanks
>
> Eli
>
>
>
>
Just untar the files and run restorecon -R on them
restorecon -R PATH
Thanks for the quick response
I had tried it and nothing happen , same results
So I had tried with -RVVF flags and got the following
restorecon: Warning no default label for
/tmp/db/00579652_221211073824_pgdump.tar_dir/3622.dat
( this appears on each file of the extracted files )
So, it seems that the pg_dump did not set the correct SELinux defaults on those file when
packaging them , right ?
Any workaround to get out of that...
Thanks again
Eli
SHould put the default labels on the content.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird -
http://www.enigmail.net/
iEYEARECAAYFAlG/MHsACgkQrlYvE4MpobOjNACff0Ugxb2zWZqx+At3orGPS4s7
CZ0AoNQSRB2QSCrise2m4gFiEO2sbCh1
=hdyR
-----END PGP SIGNATURE-----