Bug 149967
Summary: | Postgresql cannot read hosts file, thus if using "virtual_host" in postgresql.conf PostGRES will not start | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Kurt Seifried <kurt> |
Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED RAWHIDE | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 3 | ||
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2005-03-10 05:10:16 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Kurt Seifried
2005-03-01 01:26:19 UTC
It is trying to read a hosts file in the /tmp directory? Any idea how did that file get created? My guess is what happened is you (or your editor) created the file in /tmp, then did "mv /tmp/postgresql.conf /var/lib/pgsql/data". Try: restorecon -v /var/lib/pgsql/data/postgresql.conf Huh, why are we talking about the editor? The problem is not the editor. Editing the file works fine, I turned postgresql off, went to the /var/lib/pgsql/data/ directory, edited the file, saved the changes, and checked with less that the file had indeed been changed appropriately. The problem is that when I start postgresql from /etc/rc.d/init.d/postgresql it fails to start, with no error, and the messages file about it having failed to read "hosts" (I assume it means /etc/hosts but I'm not sure as the file location part of the error is a bit terse). Can you do an ls -lZ /etc/hosts. Is it tmp_t? If yes could you execute restorecon -R -v /etc/hosts Here is the output of restorecon -R -v /etc/hosts: # restorecon -R -v /etc/hosts restorecon reset context /etc/hosts:user_u:object_r:tmp_t->system_u:object_r:etc_t Postgresql still doesn't work. Are you getting other avc messages? Dan I already posted the avc messages, see above in my original report, anyways here is an avc entry from attempting to start it: Mar 8 14:27:45 punky kernel: audit(1110317265.163:0): avc: denied { read } for pid=29041 exe=/usr/bin/postgres name=hosts dev=dm-0 ino=16334850 scontext=root:system_r:postgresql_t tcontext=user_u:object_r:tmp_t tclass=file So your hosts file is back to tmp_t? ls -lZ /etc/hosts How do you setup your postgres database to use virtual hosts. When I add tcpip_socket = true port = 5432 virtual_host = eth1 to /var/lib/pgsql/data/postgresql.conf I get errors FATAL: unrecognized configuration parameter "tcpip_socket" Then you must have a bjorked install cause that's a standard parameter that makes postgresql listen on a tcp-ip socket. This is a COMPLETELY standard Fedora Core 3 install from CD, with all updates applied, this works on systems without selinux, it errors out with selinux enabled. Kurt any chance I could talk to you on chat? #fedora-selinux on Freenode? My machine is running postgresql-8.0.1-2 But I have a rhel machine running 7.4.6-1.RHEL4.2 that seems to work, except it does not like eth1. Dan I finally worked up the guts to modify: /etc/selinux/targeted/contexts/files/file_contexts.pre and add the line: /etc/hosts system_u:object_r:postgresql_etc_t And voila avc no longer complains. Also the eth1 was incorrect, I took the "what interface to listen on; defaults to any" literally and placed "eth1" in there, when in fact it wants a hostname, hence the programs attempt to read /etc/hosts I'm guessing. Anyways I have fixed it so if you could add that line to the file_contexts.pre that'll keep it working going forward. That is wrong. You do not want /etc/hosts to be postgresql_etc_t. That will make that file unreadable by other domains. /etc/hosts should be etc_t. Is postgres trying to write to /etc/hosts? Dan postgresql just wants to read it, like I said on irc I haven't delved into the guts of selinux policy file creation (normally it works and I don't have to =). I just read the file and understand it a bit more etc_t looks like the correct domain as you imply and added the line: /etc/hosts system_u:object_r:etc_t works. But I don't understand why the line that is already in there: /etc(/.*)? system_u:object_r:etc_t wouldn't have taken care of it. Anyways adding that line makes it work so I'm happy. It does. I am closing this bug for now. If it covers it why doesn't it work until I specifically add the line: /etc/hosts system_u:object_r:etc_t ?? What do you get if you don't add that line? On my machine I get restorecon -v /etc/hosts ls -lZ /etc/hosts -rw-r--r-- root root system_u:object_r:etc_t /etc/hosts Ok it's working now, not sure what the heck changed, I did the restorecon/ls -lZ thing back in comment #5 at which point things were not working. On another fedora 3 server I installed postgresql (it's never had it on this box). ls -laZ /etc/hosts -rw-r--r-- root root user_u:object_r:etc_t /etc/hosts and it works, I don't know how the ****ing permissions on /etc/hosts on the original box got mangled but apparently they did, my apologies for this mess. :P I don't know either, but you can recreate the situation by creating a hosts file in /tmp and moving it to /etc/. restorecon /etc/hosts Would then fix it's file context. |