Bug 149967

Summary: Postgresql cannot read hosts file, thus if using "virtual_host" in postgresql.conf PostGRES will not start
Product: [Fedora] Fedora Reporter: Kurt Seifried <kurt>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 3   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-03-10 05:10:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Kurt Seifried 2005-03-01 01:26:19 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.7.3)
Gecko/20041001 Firefox/0.10.1

Description of problem:
The following is from /etc/selinux/config
SELINUX=enforcing
SELINUXTYPE=targeted

From /var/lib/pgsql/data/postgresql.conf:

I made the following changes:

tcpip_socket = true
port = 5432
virtual_host = eth1

I then tried to start Postgresql:

# /etc/rc.d/init.d/postgresql start
Starting postgresql service:                               [FAILED]

And got the following errors in "/var/log/messages":

Feb 28 18:18:25 punky kernel: audit(1109639905.679:0): avc:  denied  {
read } for  pid=30525 exe=/usr/bin/postgres name=hosts dev=dm-0
ino=16334850 scontext=root:system_r:postgresql_t
tcontext=user_u:object_r:tmp_t tclass=file
Feb 28 18:18:25 punky kernel: audit(1109639905.680:0): avc:  denied  {
read } for  pid=30525 exe=/usr/bin/postgres name=hosts dev=dm-0
ino=16334850 scontext=root:system_r:postgresql_t
tcontext=user_u:object_r:tmp_t tclass=file
Feb 28 18:18:27 punky postgresql: Starting postgresql service:  failed

If I comment out the virtual_host in postgresql.conf the server starts
normally (i.e. it does not try to read the hosts file). 



Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.17.30-2.83

How reproducible:
Always

Steps to Reproduce:
1. On a system with SELinux enabled and in enforcing mode, and
SELINUXTYPE is either targeted or strict.
2. Enable the following in postgresql.conf:
tcpip_socket = true
port = 5432
virtual_host = eth1
3. try to start Postgresql

    

Actual Results:  it fails to start

Expected Results:  Postgresql starts 

Additional info:
Comment 1 Daniel Walsh 2005-03-01 13:58:44 UTC 
It is trying to read a hosts file in the /tmp directory?   Any idea
how did that file get created?
Comment 2 Colin Walters 2005-03-01 15:01:47 UTC 
My guess is what happened is you (or your editor) created the file in
/tmp, then did "mv /tmp/postgresql.conf /var/lib/pgsql/data".  

Try:

restorecon -v /var/lib/pgsql/data/postgresql.conf
Comment 3 Kurt Seifried 2005-03-01 22:19:54 UTC 
Huh, why are we talking about the editor? The problem is not the
editor. Editing the file works fine, I turned postgresql off, went to
the /var/lib/pgsql/data/ directory, edited the file, saved the
changes, and checked with less that the file had indeed been changed
appropriately. 

The problem is that when I start postgresql from
/etc/rc.d/init.d/postgresql it fails to start, with no error, and the
messages file about it having failed to read "hosts" (I assume it
means /etc/hosts but I'm not sure as the file location part of the
error is a bit terse).
Comment 4 Daniel Walsh 2005-03-08 16:45:44 UTC 
Can you do an ls -lZ /etc/hosts.  Is it tmp_t?

If yes could you execute
restorecon -R -v /etc/hosts
Comment 5 Kurt Seifried 2005-03-08 21:29:10 UTC 
Here is the output of restorecon -R -v /etc/hosts:

# restorecon -R -v /etc/hosts
restorecon reset context
/etc/hosts:user_u:object_r:tmp_t->system_u:object_r:etc_t

Postgresql still doesn't work.
Comment 6 Daniel Walsh 2005-03-08 22:03:18 UTC 
Are you getting other avc messages?

Dan
Comment 7 Kurt Seifried 2005-03-09 19:28:01 UTC 
I already posted the avc messages, see above in my original report,
anyways here is an avc entry from attempting to start it:

Mar  8 14:27:45 punky kernel: audit(1110317265.163:0): avc:  denied  {
read } for  pid=29041 exe=/usr/bin/postgres name=hosts dev=dm-0
ino=16334850 scontext=root:system_r:postgresql_t
tcontext=user_u:object_r:tmp_t tclass=file
Comment 8 Daniel Walsh 2005-03-09 20:03:19 UTC 
So your hosts file is back to tmp_t?

ls -lZ /etc/hosts

How do you setup your postgres database to use virtual hosts.

When I add
tcpip_socket = true
port = 5432
virtual_host = eth1

to 
/var/lib/pgsql/data/postgresql.conf

I get errors

FATAL:  unrecognized configuration parameter "tcpip_socket"
Comment 9 Kurt Seifried 2005-03-09 20:18:12 UTC 
Then you must have a bjorked install cause that's a standard parameter
that makes postgresql listen on a tcp-ip socket. This is a COMPLETELY
standard Fedora Core 3 install from CD, with all updates applied, this
works on systems without selinux, it errors out with selinux enabled.
Comment 10 Daniel Walsh 2005-03-09 21:17:41 UTC 
Kurt any chance I could talk to you on chat?
#fedora-selinux on Freenode?

My machine is running postgresql-8.0.1-2

But I have a rhel machine running
7.4.6-1.RHEL4.2 that seems to work, except it does not like eth1.

Dan
Comment 11 Kurt Seifried 2005-03-10 00:15:59 UTC 
I finally worked up the guts to modify:

/etc/selinux/targeted/contexts/files/file_contexts.pre

and add the line:

/etc/hosts system_u:object_r:postgresql_etc_t

And voila avc no longer complains.  

Also the eth1 was incorrect, I took the "what interface to listen on;
defaults to any" literally and placed "eth1" in there, when in fact it
wants a hostname, hence the programs attempt to read /etc/hosts I'm
guessing. Anyways I have fixed it so if you could add that line to the
 file_contexts.pre that'll keep it working going forward.
Comment 12 Daniel Walsh 2005-03-10 04:41:13 UTC 
That is wrong.  You do not want /etc/hosts to be postgresql_etc_t.

That will make that file unreadable by other domains.  /etc/hosts
should be etc_t.

Is postgres trying to write to /etc/hosts?

Dan
Comment 13 Kurt Seifried 2005-03-10 04:55:41 UTC 
postgresql just wants to read it, like I said on irc I haven't delved
into the guts of selinux policy file creation (normally it works and I
don't have to =). I just read the file and understand it a bit more
etc_t looks like the correct domain as you imply and added the line:

/etc/hosts                      system_u:object_r:etc_t

works. But I don't understand why the line that is already in there:
/etc(/.*)?                      system_u:object_r:etc_t
wouldn't have taken care of it. Anyways adding that line makes it work
so I'm happy.
Comment 14 Daniel Walsh 2005-03-10 05:10:16 UTC 
It does.  I am closing this bug for now.
Comment 15 Kurt Seifried 2005-03-10 05:18:01 UTC 
If it covers it why doesn't it work until I specifically add the line:

/etc/hosts                      system_u:object_r:etc_t

??
Comment 16 Daniel Walsh 2005-03-10 05:30:57 UTC 
What do you get if you don't add that line?

On my machine I get
restorecon -v /etc/hosts
ls -lZ /etc/hosts
-rw-r--r--  root     root     system_u:object_r:etc_t          /etc/hosts
Comment 17 Kurt Seifried 2005-03-10 06:10:03 UTC 
Ok it's working now, not sure what the heck changed, I did the
restorecon/ls -lZ thing back in comment #5 at which point things were
not working. 

On another fedora 3 server I installed postgresql (it's never had it
on this box). 

ls -laZ /etc/hosts
-rw-r--r--  root     root     user_u:object_r:etc_t   /etc/hosts

and it works, I don't know how the ****ing permissions on /etc/hosts
on the original box got mangled but apparently they did, my apologies
for this mess. :P
Comment 18 Daniel Walsh 2005-03-10 15:03:22 UTC 
I don't know either, but you can recreate the situation by creating a
hosts file in /tmp and moving it to /etc/.  

restorecon /etc/hosts 

Would then fix it's file context.