
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06/17/2013 03:17 PM, Eli Mesika wrote:
----- Original Message -----
From: "Daniel J Walsh" <dwalsh@redhat.com> To: "Eli Mesika" <emesika@redhat.com> Cc: "Yair Zaslavsky" <yzaslavs@redhat.com>, "Barak Azulay" <bazulay@redhat.com>, "engine-devel" <engine-devel@ovirt.org> Sent: Monday, June 17, 2013 6:51:23 PM Subject: Re: SELinux problem
On 06/17/2013 08:49 AM, Eli Mesika wrote:
Hi
I am using SELinux Enforcing mode on Fedora 18 (selinux-policy-3.11.1-97.fc18.noarch)
As part as our Postgres DB restore we have to
1) Open a postgres backup packed as a TAR file 2) Restore the database from those files after unpacking with tar xvf.
I have found that I get a Permission Denied when trying to restore the database data files. After investigation , I had found that running : setenforce 0 the restore completes with no errors. Further investigation shows that when I am extracting the TAR file , I have to set the same SELinux context as in /var/lib/pgsql/data directory , i.e. unconfined_u:object_r:postgresql_db_t:s0
I had tried to do that with chcon :
chcon -u unconfined_u -r object_r -t postgresql_db_t <file>
This was failed (also when running with root privileges) and audit2why --all shows a lot of those errors :
type=AVC msg=audit(1371464569.023:671): avc: denied { relabelto } for pid=18144 comm="chcon" name="toc.dat" dev="tmpfs" ino=117639 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:system_r:postgresql_t:s0 tclass=file Was caused by: Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
After goggling around that , I found an article by you:
https://docs.fedoraproject.org/en-US/Fedora/11/html/Security-Enhanced_Linux/...
It says : "Missing Type Enforcement rules are usually caused by bugs in
SELinux policy, and should be reported in Red Hat Bugzilla. For Fedora, create bugs against the Fedora product, and select the selinux-policy component. Include the output of the audit2allow -w -a and audit2allow -a commands in such bug reports. "
Should I open a BZ on that ?
The TAR I am using is attached. (I am opening it with tar xvf and trying to change the context to desired context as explained above)
Thanks
Eli
Just untar the files and run restorecon -R on them
restorecon -R PATH
Thanks for the quick response I had tried it and nothing happen , same results So I had tried with -RVVF flags and got the following
restorecon: Warning no default label for /tmp/db/00579652_221211073824_pgdump.tar_dir/3622.dat
( this appears on each file of the extracted files )
So, it seems that the pg_dump did not set the correct SELinux defaults on those file when packaging them , right ?
Any workaround to get out of that...
Thanks again
Eli
SHould put the default labels on the content.
Why are you storing your postgresql database on a /tmp directory? If you put it in the normal places, it would have worked. If you must have it there then you need to label it with chcon -Rt postgresql_db_t /tmp/db Will change the label to be useable by postgresql. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlG/fF0ACgkQrlYvE4MpobPoXwCfeKhb+JEJX1l/xL/RbavAOjwf mwMAoOAhh/m3cifg3ktXF9oAkpHLLlZB =4S5u -----END PGP SIGNATURE-----