[Engine-devel] SELinux problem

Eli Mesika emesika at redhat.com
Tue Jun 18 00:21:50 UTC 2013



----- Original Message -----
> From: "Daniel J Walsh" <dwalsh at redhat.com>
> To: "Eli Mesika" <emesika at redhat.com>
> Cc: "Yair Zaslavsky" <yzaslavs at redhat.com>, "Barak Azulay" <bazulay at redhat.com>, "engine-devel"
> <engine-devel at ovirt.org>
> Sent: Tuesday, June 18, 2013 12:15:09 AM
> Subject: Re: SELinux problem
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 06/17/2013 03:17 PM, Eli Mesika wrote:
> > 
> > 
> > ----- Original Message -----
> >> From: "Daniel J Walsh" <dwalsh at redhat.com> To: "Eli Mesika"
> >> <emesika at redhat.com> Cc: "Yair Zaslavsky" <yzaslavs at redhat.com>, "Barak
> >> Azulay" <bazulay at redhat.com>, "engine-devel" <engine-devel at ovirt.org>
> >> Sent: Monday, June 17, 2013 6:51:23 PM Subject: Re: SELinux problem
> >> 
> > On 06/17/2013 08:49 AM, Eli Mesika wrote:
> >>>> Hi
> >>>> 
> >>>> I am using SELinux Enforcing mode on Fedora 18
> >>>> (selinux-policy-3.11.1-97.fc18.noarch)
> >>>> 
> >>>> As part as our Postgres DB restore we have to
> >>>> 
> >>>> 1) Open a postgres backup packed as a TAR file 2) Restore the
> >>>> database from those files after unpacking with tar xvf.
> >>>> 
> >>>> I have found that I get a Permission Denied when trying to restore
> >>>> the database data files. After investigation , I had found that
> >>>> running : setenforce 0 the restore completes with no errors. Further
> >>>> investigation shows that when I am extracting the TAR file , I have
> >>>> to set the same SELinux context as in /var/lib/pgsql/data directory ,
> >>>> i.e. unconfined_u:object_r:postgresql_db_t:s0
> >>>> 
> >>>> I had tried to do that with chcon :
> >>>> 
> >>>> chcon -u unconfined_u -r object_r -t postgresql_db_t <file>
> >>>> 
> >>>> This was failed (also when running with root privileges) and
> >>>> audit2why --all shows a lot of those errors :
> >>>> 
> >>>> type=AVC msg=audit(1371464569.023:671): avc:  denied  { relabelto }
> >>>> for pid=18144 comm="chcon" name="toc.dat" dev="tmpfs" ino=117639
> >>>> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> >>>> tcontext=system_u:system_r:postgresql_t:s0 tclass=file Was caused
> >>>> by: Missing type enforcement (TE) allow rule.
> >>>> 
> >>>> You can use audit2allow to generate a loadable module to allow this
> >>>> access.
> >>>> 
> >>>> 
> >>>> After goggling around that , I found an article by you:
> >>>> 
> >>>> https://docs.fedoraproject.org/en-US/Fedora/11/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow.html
> >>>>
> >>>>
> >>>> 
> It says : "Missing Type Enforcement rules are usually caused by bugs in
> >>>> SELinux policy, and should be reported in Red Hat Bugzilla. For
> >>>> Fedora, create bugs against the Fedora product, and select the
> >>>> selinux-policy component. Include the output of the audit2allow -w -a
> >>>> and audit2allow -a commands in such bug reports. "
> >>>> 
> >>>> Should I open a BZ on that ?
> >>>> 
> >>>> The TAR I am using is attached. (I am opening it with tar xvf and
> >>>> trying to change the context to desired context as explained above)
> >>>> 
> >>>> Thanks
> >>>> 
> >>>> Eli
> >>>> 
> >>>> 
> >>>> 
> >>>> 
> > Just untar the files and run restorecon -R on them
> > 
> > restorecon -R PATH
> > 
> >> Thanks for the quick response I had tried it and nothing happen , same
> >> results So I had tried with  -RVVF flags and got  the following
> > 
> >> restorecon:  Warning no default label for
> >> /tmp/db/00579652_221211073824_pgdump.tar_dir/3622.dat
> > 
> >> ( this appears on each file of the extracted files )
> > 
> >> So, it seems that the pg_dump did not set the correct SELinux defaults on
> >> those file when packaging them , right ?
> > 
> >> Any workaround to get out of that...
> > 
> >> Thanks again
> > 
> >> Eli
> > 
> > 
> > 
> > 
> > SHould put the default labels on the content.
> >> 
> 
> Why are you storing your postgresql database on a /tmp directory?
> 
> If you put it in the normal places, it would have worked.

The reason is that this is a backup file from which I have to restore the database.

> 
> If you must have it there then you need to label it with
> 
> chcon -Rt postgresql_db_t /tmp/db

That worked !!!, thank you very much for your kind help.


> 
> Will change the label to be useable by postgresql.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.13 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> 
> iEYEARECAAYFAlG/fF0ACgkQrlYvE4MpobPoXwCfeKhb+JEJX1l/xL/RbavAOjwf
> mwMAoOAhh/m3cifg3ktXF9oAkpHLLlZB
> =4S5u
> -----END PGP SIGNATURE-----
> 



More information about the Engine-devel mailing list