From: "Daniel J Walsh" <dwalsh(a)redhat.com>
To: "Eli Mesika" <emesika(a)redhat.com>
Cc: "Yair Zaslavsky" <yzaslavs(a)redhat.com>, "Barak Azulay"
<bazulay(a)redhat.com>, "engine-devel"
<engine-devel(a)ovirt.org>
Sent: Tuesday, June 18, 2013 12:15:09 AM
Subject: Re: SELinux problem
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 06/17/2013 03:17 PM, Eli Mesika wrote:
>
>
> ----- Original Message -----
>> From: "Daniel J Walsh" <dwalsh(a)redhat.com> To: "Eli
Mesika"
>> <emesika(a)redhat.com> Cc: "Yair Zaslavsky"
<yzaslavs(a)redhat.com>, "Barak
>> Azulay" <bazulay(a)redhat.com>, "engine-devel"
<engine-devel(a)ovirt.org>
>> Sent: Monday, June 17, 2013 6:51:23 PM Subject: Re: SELinux problem
>>
> On 06/17/2013 08:49 AM, Eli Mesika wrote:
>>>> Hi
>>>>
>>>> I am using SELinux Enforcing mode on Fedora 18
>>>> (selinux-policy-3.11.1-97.fc18.noarch)
>>>>
>>>> As part as our Postgres DB restore we have to
>>>>
>>>> 1) Open a postgres backup packed as a TAR file 2) Restore the
>>>> database from those files after unpacking with tar xvf.
>>>>
>>>> I have found that I get a Permission Denied when trying to restore
>>>> the database data files. After investigation , I had found that
>>>> running : setenforce 0 the restore completes with no errors. Further
>>>> investigation shows that when I am extracting the TAR file , I have
>>>> to set the same SELinux context as in /var/lib/pgsql/data directory ,
>>>> i.e. unconfined_u:object_r:postgresql_db_t:s0
>>>>
>>>> I had tried to do that with chcon :
>>>>
>>>> chcon -u unconfined_u -r object_r -t postgresql_db_t <file>
>>>>
>>>> This was failed (also when running with root privileges) and
>>>> audit2why --all shows a lot of those errors :
>>>>
>>>> type=AVC msg=audit(1371464569.023:671): avc: denied { relabelto }
>>>> for pid=18144 comm="chcon" name="toc.dat"
dev="tmpfs" ino=117639
>>>> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>>>> tcontext=system_u:system_r:postgresql_t:s0 tclass=file Was caused
>>>> by: Missing type enforcement (TE) allow rule.
>>>>
>>>> You can use audit2allow to generate a loadable module to allow this
>>>> access.
>>>>
>>>>
>>>> After goggling around that , I found an article by you:
>>>>
>>>>
https://docs.fedoraproject.org/en-US/Fedora/11/html/Security-Enhanced_Lin...
>>>>
>>>>
>>>>
It says : "Missing Type Enforcement rules are usually caused by bugs in
>>>> SELinux policy, and should be reported in Red Hat Bugzilla. For
>>>> Fedora, create bugs against the Fedora product, and select the
>>>> selinux-policy component. Include the output of the audit2allow -w -a
>>>> and audit2allow -a commands in such bug reports. "
>>>>
>>>> Should I open a BZ on that ?
>>>>
>>>> The TAR I am using is attached. (I am opening it with tar xvf and
>>>> trying to change the context to desired context as explained above)
>>>>
>>>> Thanks
>>>>
>>>> Eli
>>>>
>>>>
>>>>
>>>>
> Just untar the files and run restorecon -R on them
>
> restorecon -R PATH
>
>> Thanks for the quick response I had tried it and nothing happen , same
>> results So I had tried with -RVVF flags and got the following
>
>> restorecon: Warning no default label for
>> /tmp/db/00579652_221211073824_pgdump.tar_dir/3622.dat
>
>> ( this appears on each file of the extracted files )
>
>> So, it seems that the pg_dump did not set the correct SELinux defaults on
>> those file when packaging them , right ?
>
>> Any workaround to get out of that...
>
>> Thanks again
>
>> Eli
>
>
>
>
> SHould put the default labels on the content.
>>
Why are you storing your postgresql database on a /tmp directory?
If you put it in the normal places, it would have worked.
The reason is that this is a backup file from which I have to restore the database.
If you must have it there then you need to label it with
chcon -Rt postgresql_db_t /tmp/db
Will change the label to be useable by postgresql.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird -
http://www.enigmail.net/
iEYEARECAAYFAlG/fF0ACgkQrlYvE4MpobPoXwCfeKhb+JEJX1l/xL/RbavAOjwf
mwMAoOAhh/m3cifg3ktXF9oAkpHLLlZB
=4S5u
-----END PGP SIGNATURE-----