Re: [Engine-devel] SELinux problem

Hi I am using SELinux Enforcing mode on Fedora 18 (selinux-policy-3.11.1-97.fc18.noarch) As part as our Postgres DB restore we have to 1) Open a postgres backup packed as a TAR file 2) Restore the database from those files after unpacking with tar xvf. I have found that I get a Permission Denied when trying to restore the database data files. After investigation , I had found that running : setenforce 0 the restore completes with no errors. Further investigation shows that when I am extracting the TAR file , I have to set the same SELinux context as in /var/lib/pgsql/data directory , i.e. unconfined_u:object_r:postgresql_db_t:s0 I had tried to do that with chcon : chcon -u unconfined_u -r object_r -t postgresql_db_t <file> This was failed (also when running with root privileges) and audit2why --all shows a lot of those errors : type=AVC msg=audit(1371464569.023:671): avc: denied { relabelto } for pid=18144 comm="chcon" name="toc.dat" dev="tmpfs" ino=117639 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:system_r:postgresql_t:s0 tclass=file Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. After goggling around that , I found an article by you: https://docs.fedoraproject.org/en-US/Fedora/11/html/Security-Enhanced_Lin... It says : "Missing Type Enforcement rules are usually caused by bugs in SELinux policy, and should be reported in Red Hat Bugzilla. For Fedora, create bugs against the Fedora product, and select the selinux-policy component. Include the output of the audit2allow -w -a and audit2allow -a commands in such bug reports. " Should I open a BZ on that ? The TAR I am using is attached. (I am opening it with tar xvf and trying to change the context to desired context as explained above) Thanks Eli

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlG/MHsACgkQrlYvE4MpobOjNACff0Ugxb2zWZqx+At3orGPS4s7 CZ0AoNQSRB2QSCrise2m4gFiEO2sbCh1 =hdyR -----END PGP SIGNATURE-----