[Engine-devel] SELinux problem
Eli Mesika
emesika at redhat.com
Mon Jun 17 12:49:12 UTC 2013
Hi
I am using SELinux Enforcing mode on Fedora 18 (selinux-policy-3.11.1-97.fc18.noarch)
As part as our Postgres DB restore we have to
1) Open a postgres backup packed as a TAR file
2) Restore the database from those files after unpacking with tar xvf.
I have found that I get a Permission Denied when trying to restore the database data files.
After investigation , I had found that running : setenforce 0 the restore completes with no errors.
Further investigation shows that when I am extracting the TAR file , I have to set the same SELinux context as in /var/lib/pgsql/data directory , i.e.
unconfined_u:object_r:postgresql_db_t:s0
I had tried to do that with chcon :
chcon -u unconfined_u -r object_r -t postgresql_db_t <file>
This was failed (also when running with root privileges) and audit2why --all shows a lot of those errors :
type=AVC msg=audit(1371464569.023:671): avc: denied { relabelto } for pid=18144 comm="chcon" name="toc.dat" dev="tmpfs" ino=117639 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:system_r:postgresql_t:s0 tclass=file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
After goggling around that , I found an article by you:
https://docs.fedoraproject.org/en-US/Fedora/11/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow.html
It says : "Missing Type Enforcement rules are usually caused by bugs in SELinux policy, and should be reported in Red Hat Bugzilla. For Fedora, create bugs against the Fedora product, and select the selinux-policy component. Include the output of the audit2allow -w -a and audit2allow -a commands in such bug reports. "
Should I open a BZ on that ?
The TAR I am using is attached. (I am opening it with tar xvf and trying to change the context to desired context as explained above)
Thanks
Eli
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 00579652_221211073824_pgdump.tar
Type: application/x-tar
Size: 1734144 bytes
Desc: not available
URL: <http://lists.ovirt.org/pipermail/engine-devel/attachments/20130617/773e471c/attachment.tar>
More information about the Engine-devel
mailing list