[Engine-devel] SELinux problem

Eli Mesika emesika at redhat.com
Mon Jun 17 19:17:35 UTC 2013 


----- Original Message -----
> From: "Daniel J Walsh" <dwalsh at redhat.com>
> To: "Eli Mesika" <emesika at redhat.com>
> Cc: "Yair Zaslavsky" <yzaslavs at redhat.com>, "Barak Azulay" <bazulay at redhat.com>, "engine-devel"
> <engine-devel at ovirt.org>
> Sent: Monday, June 17, 2013 6:51:23 PM
> Subject: Re: SELinux problem
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 06/17/2013 08:49 AM, Eli Mesika wrote:
> > Hi
> > 
> > I am using SELinux Enforcing mode on Fedora 18
> > (selinux-policy-3.11.1-97.fc18.noarch)
> > 
> > As part as our Postgres DB restore we have to
> > 
> > 1) Open a postgres backup packed as a TAR file 2) Restore the database from
> > those files after unpacking with tar xvf.
> > 
> > I have found that I get a Permission Denied when trying to restore the
> > database data files. After investigation , I had found that running :
> > setenforce 0 the restore completes with no errors. Further investigation
> > shows that when I am extracting the TAR file , I have to set the same
> > SELinux context as in /var/lib/pgsql/data directory , i.e.
> > unconfined_u:object_r:postgresql_db_t:s0
> > 
> > I had tried to do that with chcon :
> > 
> > chcon -u unconfined_u -r object_r -t postgresql_db_t <file>
> > 
> > This was failed (also when running with root privileges) and audit2why
> > --all shows a lot of those errors :
> > 
> > type=AVC msg=audit(1371464569.023:671): avc:  denied  { relabelto } for
> > pid=18144 comm="chcon" name="toc.dat" dev="tmpfs" ino=117639
> > scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> > tcontext=system_u:system_r:postgresql_t:s0 tclass=file Was caused by:
> > Missing type enforcement (TE) allow rule.
> > 
> > You can use audit2allow to generate a loadable module to allow this
> > access.
> > 
> > 
> > After goggling around that , I found an article by you:
> > 
> > https://docs.fedoraproject.org/en-US/Fedora/11/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow.html
> >
> >  It says : "Missing Type Enforcement rules are usually caused by bugs in
> > SELinux policy, and should be reported in Red Hat Bugzilla. For Fedora,
> > create bugs against the Fedora product, and select the selinux-policy
> > component. Include the output of the audit2allow -w -a and audit2allow -a
> > commands in such bug reports. "
> > 
> > Should I open a BZ on that ?
> > 
> > The TAR I am using is attached. (I am opening it with tar xvf and trying to
> > change the context to desired context as explained above)
> > 
> > Thanks
> > 
> > Eli
> > 
> > 
> > 
> > 
> Just untar the files and run restorecon -R on them
> 
> restorecon -R PATH

Thanks for the quick response
I had tried it and nothing happen , same results 
So I had tried with  -RVVF flags and got  the following 

restorecon:  Warning no default label for /tmp/db/00579652_221211073824_pgdump.tar_dir/3622.dat

( this appears on each file of the extracted files )

So, it seems that the pg_dump did not set the correct SELinux defaults on those file when packaging them , right ?

Any workaround to get out of that...

Thanks again

Eli



> 
> SHould put the default labels on the content.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.13 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> 
> iEYEARECAAYFAlG/MHsACgkQrlYvE4MpobOjNACff0Ugxb2zWZqx+At3orGPS4s7
> CZ0AoNQSRB2QSCrise2m4gFiEO2sbCh1
> =hdyR
> -----END PGP SIGNATURE-----
>

More information about the Engine-devel mailing list