Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 575403 Details for
Bug 810235
SELinux prevents postgres from starting during boot
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
message from selinux after switching to permissive mode
selinux_pgsql.txt (text/plain), 10.23 KB, created by
hp4
on 2012-04-05 13:01:42 UTC
(
hide
)
Description:
message from selinux after switching to permissive mode
Filename:
MIME Type:
Creator:
hp4
Created:
2012-04-05 13:01:42 UTC
Size:
10.23 KB
patch
obsolete
>SELinux is preventing /usr/bin/postgres from write access on the Datei /var/lib/pgsql/data/base/16386/16397. > >***** Plugin restorecon (94.8 Zuverlässigkeit) schlägt vor ***************** > >Wennyou want to fix the label. >/var/lib/pgsql/data/base/16386/16397 default label should be postgresql_db_t. >Dannyou can run restorecon. >Ausführen ># /sbin/restorecon -v /var/lib/pgsql/data/base/16386/16397 > >***** Plugin catchall_labels (5.21 Zuverlässigkeit) schlägt vor ************ > >Wennsie wollen dem postgres den Zugriff write auf 16397 file erlauben >Dannyou need to change the label on /var/lib/pgsql/data/base/16386/16397 >Ausführen ># semanage fcontext -a -t FILE_TYPE '/var/lib/pgsql/data/base/16386/16397' >where FILE_TYPE is one of the following: lastlog_t, pcscd_var_run_t, user_cron_spool_t, postgresql_var_run_t, afs_cache_t, postgresql_tmp_t, postgresql_log_t, hugetlbfs_t, postgresql_lock_t, puppet_tmp_t, postgresql_db_t, postgresql_t, security_t, faillog_t, root_t, krb5_host_rcache_t, security_t. >Then execute: >restorecon -v '/var/lib/pgsql/data/base/16386/16397' > > >***** Plugin catchall (1.44 Zuverlässigkeit) schlägt vor ******************* > >Wennyou believe that postgres should be allowed write access on the 16397 file by default. >Dannyou should report this as a bug. >You can generate a local policy module to allow this access. >Ausführen >allow this access for now by executing: ># grep postgres /var/log/audit/audit.log | audit2allow -M mypol ># semodule -i mypol.pp > >zusätzliche Information: >Quellkontext system_u:system_r:postgresql_t:s0 >Zielkontext unconfined_u:object_r:var_lib_t:s0 >Zielobjekte /var/lib/pgsql/data/base/16386/16397 [ file ] >Quelle postgres >Quellpfad /usr/bin/postgres >Port <Unbekannt> >Host aphrodite.planets >RPM-Pakete der Quelle postgresql-server-9.1.3-1.fc16.i686 >RPM-Pakete des Ziels >Richtlinien-RPM selinux-policy-3.10.0-80.fc16.noarch >SELinux aktiviert True >Richtlinientyp targeted >Enforcing-Modus Permissive >Rechnername aphrodite.planets >Plattform Linux aphrodite.planets 3.3.0-4.fc16.i686.PAE #1 > SMP Tue Mar 20 18:24:16 UTC 2012 i686 i686 >Anzahl der Alarme 5 >Zuerst gesehen Do 05 Apr 2012 16:13:17 CEST >Zuletzt gesehen Do 05 Apr 2012 14:50:01 CEST >Lokale ID 5b8668da-a22a-4e18-8a42-cb002854a3fb > >Raw-Audit-Meldungen >type=AVC msg=audit(1333630201.315:80): avc: denied { write } for pid=2145 comm="postgres" name="16397" dev="dm-1" ino=1465222 scontext=system_u:system_r:postgresql_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file > > >type=SYSCALL msg=audit(1333630201.315:80): arch=i386 syscall=open success=yes exit=EBADF a0=9d2b868 a1=8002 a2=0 a3=9cf6530 items=0 ppid=1017 pid=2145 auid=4294967295 uid=26 gid=26 euid=26 suid=26 fsuid=26 egid=26 sgid=26 fsgid=26 tty=(none) ses=4294967295 comm=postgres exe=/usr/bin/postgres subj=system_u:system_r:postgresql_t:s0 key=(null) > >Hash: postgres,postgresql_t,var_lib_t,file,write > >audit2allow > >#============= postgresql_t ============== >allow postgresql_t var_lib_t:file write; > >audit2allow -R > >#============= postgresql_t ============== >allow postgresql_t var_lib_t:file write; > > >------------------------------------------------------------------------------------------------------ > >SELinux is preventing /usr/bin/postgres from append access on the Datei /var/lib/pgsql/data/pg_log/postgresql-Thu.log. > >***** Plugin restorecon (94.8 Zuverlässigkeit) schlägt vor ***************** > >Wennyou want to fix the label. >/var/lib/pgsql/data/pg_log/postgresql-Thu.log default label should be postgresql_db_t. >Dannyou can run restorecon. >Ausführen ># /sbin/restorecon -v /var/lib/pgsql/data/pg_log/postgresql-Thu.log > >***** Plugin catchall_labels (5.21 Zuverlässigkeit) schlägt vor ************ > >Wennsie wollen dem postgres den Zugriff append auf postgresql-Thu.log file erlauben >Dannyou need to change the label on /var/lib/pgsql/data/pg_log/postgresql-Thu.log >Ausführen ># semanage fcontext -a -t FILE_TYPE '/var/lib/pgsql/data/pg_log/postgresql-Thu.log' >where FILE_TYPE is one of the following: lastlog_t, sosreport_tmp_t, abrt_var_cache_t, rpm_tmp_t, pcscd_var_run_t, user_cron_spool_t, postgresql_var_run_t, logfile, user_tmp_t, wtmp_t, postgresql_tmp_t, user_home_t, postgresql_log_t, hugetlbfs_t, postgresql_lock_t, puppet_tmp_t, postgresql_db_t, postgresql_t, security_t, faillog_t, root_t, krb5_host_rcache_t, security_t. >Then execute: >restorecon -v '/var/lib/pgsql/data/pg_log/postgresql-Thu.log' > > >***** Plugin catchall (1.44 Zuverlässigkeit) schlägt vor ******************* > >Wennyou believe that postgres should be allowed append access on the postgresql-Thu.log file by default. >Dannyou should report this as a bug. >You can generate a local policy module to allow this access. >Ausführen >allow this access for now by executing: ># grep postgres /var/log/audit/audit.log | audit2allow -M mypol ># semodule -i mypol.pp > >zusätzliche Information: >Quellkontext system_u:system_r:postgresql_t:s0 >Zielkontext unconfined_u:object_r:var_lib_t:s0 >Zielobjekte /var/lib/pgsql/data/pg_log/postgresql-Thu.log [ > file ] >Quelle postgres >Quellpfad /usr/bin/postgres >Port <Unbekannt> >Host aphrodite.planets >RPM-Pakete der Quelle postgresql-server-9.1.3-1.fc16.i686 >RPM-Pakete des Ziels >Richtlinien-RPM selinux-policy-3.10.0-80.fc16.noarch >SELinux aktiviert True >Richtlinientyp targeted >Enforcing-Modus Permissive >Rechnername aphrodite.planets >Plattform Linux aphrodite.planets 3.3.0-4.fc16.i686.PAE #1 > SMP Tue Mar 20 18:24:16 UTC 2012 i686 i686 >Anzahl der Alarme 1 >Zuerst gesehen Do 05 Apr 2012 16:49:25 CEST >Zuletzt gesehen Do 05 Apr 2012 16:49:25 CEST >Lokale ID eb4a08bf-fc39-4dcd-bf36-5509f6f3c5bd > >Raw-Audit-Meldungen >type=AVC msg=audit(1333637365.185:57): avc: denied { append } for pid=1017 comm="postgres" name="postgresql-Thu.log" dev="dm-1" ino=1464724 scontext=system_u:system_r:postgresql_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file > > >type=SYSCALL msg=audit(1333637365.185:57): arch=i386 syscall=open success=yes exit=ENOEXEC a0=9c64a48 a1=8441 a2=1b6 a3=0 items=0 ppid=1 pid=1017 auid=4294967295 uid=26 gid=26 euid=26 suid=26 fsuid=26 egid=26 sgid=26 fsgid=26 tty=(none) ses=4294967295 comm=postgres exe=/usr/bin/postgres subj=system_u:system_r:postgresql_t:s0 key=(null) > >Hash: postgres,postgresql_t,var_lib_t,file,append > >audit2allow > >#============= postgresql_t ============== >allow postgresql_t var_lib_t:file append; > >audit2allow -R > >#============= postgresql_t ============== >allow postgresql_t var_lib_t:file append; > >------------------------------------------------------------------------------------------------------ > > >SELinux is preventing /usr/bin/postgres from unlink access on the Datei pgstat.stat. > >***** Plugin restorecon (94.8 Zuverlässigkeit) schlägt vor ***************** > >Wennyou want to fix the label. >pgstat.stat default label should be postgresql_db_t. >Dannyou can run restorecon. >Ausführen ># /sbin/restorecon -v pgstat.stat > >***** Plugin catchall_labels (5.21 Zuverlässigkeit) schlägt vor ************ > >Wennsie wollen dem postgres den Zugriff unlink auf pgstat.stat file erlauben >Dannyou need to change the label on pgstat.stat >Ausführen ># semanage fcontext -a -t FILE_TYPE 'pgstat.stat' >where FILE_TYPE is one of the following: pcscd_var_run_t, postgresql_var_run_t, postgresql_tmp_t, postgresql_log_t, postgresql_lock_t, postgresql_db_t, root_t, krb5_host_rcache_t. >Then execute: >restorecon -v 'pgstat.stat' > > >***** Plugin catchall (1.44 Zuverlässigkeit) schlägt vor ******************* > >Wennyou believe that postgres should be allowed unlink access on the pgstat.stat file by default. >Dannyou should report this as a bug. >You can generate a local policy module to allow this access. >Ausführen >allow this access for now by executing: ># grep postgres /var/log/audit/audit.log | audit2allow -M mypol ># semodule -i mypol.pp > >zusätzliche Information: >Quellkontext system_u:system_r:postgresql_t:s0 >Zielkontext unconfined_u:object_r:var_lib_t:s0 >Zielobjekte pgstat.stat [ file ] >Quelle postgres >Quellpfad /usr/bin/postgres >Port <Unbekannt> >Host aphrodite.planets >RPM-Pakete der Quelle postgresql-server-9.1.3-1.fc16.i686 >RPM-Pakete des Ziels >Richtlinien-RPM selinux-policy-3.10.0-80.fc16.noarch >SELinux aktiviert True >Richtlinientyp targeted >Enforcing-Modus Permissive >Rechnername aphrodite.planets >Plattform Linux aphrodite.planets 3.3.0-4.fc16.i686.PAE #1 > SMP Tue Mar 20 18:24:16 UTC 2012 i686 i686 >Anzahl der Alarme 2 >Zuerst gesehen Do 05 Apr 2012 16:49:25 CEST >Zuletzt gesehen Do 05 Apr 2012 16:49:25 CEST >Lokale ID 262d1cab-4b9c-426a-ae1b-08d7fe31b916 > >Raw-Audit-Meldungen >type=AVC msg=audit(1333637365.393:59): avc: denied { unlink } for pid=1509 comm="postgres" name="pgstat.stat" dev="dm-1" ino=1468269 scontext=system_u:system_r:postgresql_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file > > >type=SYSCALL msg=audit(1333637365.393:59): arch=i386 syscall=unlink success=yes exit=0 a0=84862fc a1=9c832a8 a2=9c832a8 a3=0 items=0 ppid=1017 pid=1509 auid=4294967295 uid=26 gid=26 euid=26 suid=26 fsuid=26 egid=26 sgid=26 fsgid=26 tty=(none) ses=4294967295 comm=postgres exe=/usr/bin/postgres subj=system_u:system_r:postgresql_t:s0 key=(null) > >Hash: postgres,postgresql_t,var_lib_t,file,unlink > >audit2allow > >#============= postgresql_t ============== >allow postgresql_t var_lib_t:file unlink; > >audit2allow -R > >#============= postgresql_t ============== >allow postgresql_t var_lib_t:file unlink; > >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=575403">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 810235
: 575403