Bug 1920529

Summary: postgresql starting in wrong domain initrc_t
Product: Red Hat Satellite Reporter: Jan Jansky <jjansky>
Component: SELinuxAssignee: Lukas Zapletal <lzap>
Status: CLOSED CURRENTRELEASE QA Contact: Satellite QE Team <sat-qe-bz-list>
Severity: high Docs Contact:
Priority: medium    
Version: 6.8.0CC: ahumbe, aruzicka, ekohlvan, jbhatia, jhutar, ktordeur, lzap, nshaik, pcreech, rcavalca, rlavi, sadas, saydas
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: UnusedFlags: jhutar: needinfo? (pcreech)
aruzicka: needinfo? (pcreech)
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-08-10 13:06:07 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Jansky 2021-01-26 13:44:26 UTC 
Description of problem: After upgrade to Satellite 6.8 postgresql starting in wrong domain initrc_t, which ends in selinux denials as below.

type=AVC msg=audit(1611603322.116:2772): avc:  denied  { connectto } for  pid=4588 comm="sidekiq" path="/run/postgresql/.s.PGSQL.5432" scontext=system_u:system_r:foreman_rails_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket permissive=0


How reproducible:
I was not able to reproduce, not sure what is causing wrong domain.

Actual results:

type=AVC msg=audit(1611603322.116:2772): avc:  denied  { connectto } for  pid=4588 comm="sidekiq" path="/run/postgresql/.s.PGSQL.5432" scontext=system_u:system_r:foreman_rails_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket permissive=0


Expected results:

Correct domain used (system_u:system_r:postgresql_t:s0)

No error or denial.


Additional info:

# hammer ping
500 Internal Server Error

Jan 01 00:00:00 hostname dynflow-sidekiq@worker-hosts-queue: could not connect to server: Permission denied
Jan 01 00:00:00 hostname dynflow-sidekiq@worker-hosts-queue: Is the server running locally and accepting
Jan 01 00:00:00 hostname dynflow-sidekiq@worker-hosts-queue: connections on Unix domain socket "/var/run/postgresql/.s.PGSQL.5432"?

# sesearch -s init_t --type -c process | grep postgres
   type_transition init_t postgresql_exec_t : process postgresql_t; 
   type_transition init_t postgresql_initrc_exec_t : process initrc_t;

# ls -alZ /usr/bin | grep postgres
-rwxr-xr-x. root root    system_u:object_r:postgresql_exec_t:s0 postgres
Comment 4 isinghal 2022-05-16 09:25:15 UTC 
Hello Team.
We seem to facing the same issue since last week while installing sat 6.11.0. We have tried the solution above but it does not sem to work for us. Could you please help out with what we are missing?
cc @jhutar
Comment 10 Lukas Zapletal 2022-06-09 11:30:55 UTC 
Good research, I saw this reported years ago and we could not figure it out. You are on the right track I think, the alias (mapping) is key here. This actually makes "restorecon" to set those contexts, that is the tool which is typically run in postinstall script for each package.

I do not remember what creates the alias tho, can you list RPM files containing "selinux" on both systems? I expect one named "postgresql-selinux". If not, it should be in the base policy.
Comment 11 Lukas Zapletal 2022-06-09 11:34:50 UTC 
This is where the policy lives (Rawhide, we do have CentOS 8 Stream branch somewhere):

https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules/services/postgresql.te
https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules/services/postgresql.if
https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules/services/postgresql.fc

It must be defined somewhere in an "SCL" package (post scriplet?) I'd ask SELinux guys.
Comment 12 Adam Ruzicka 2022-06-09 11:51:22 UTC 
I think we have a winner here

# rpm -q --scripts rh-postgresql12-runtime-3.4-1.el7.x86_64
postinstall scriptlet (using /bin/sh):
# Simple copy of context from system root to SCL root.
# In case new version needs some additional rules or context definition,
# it needs to be solved in base system.
# semanage does not have -e option in RHEL-5, so we would
# have to have its own policy for collection.
semanage fcontext -a -e / /opt/rh/rh-postgresql12/root >/dev/null 2>&1 || :
semanage fcontext -a -e /etc /etc/opt/rh/rh-postgresql12 >/dev/null 2>&1 || :
semanage fcontext -a -e /var /var/opt/rh/rh-postgresql12 >/dev/null 2>&1 || :

selinuxenabled && load_policy || :
restorecon -R /opt/rh/rh-postgresql12/root >/dev/null 2>&1 || :
restorecon -R /etc/opt/rh/rh-postgresql12 >/dev/null 2>&1 || :
restorecon -R /var/opt/rh/rh-postgresql12 >/dev/null 2>&1 || :

On my machine, the system was fully up-to-date before installing Satellite, on the reproducer machine it was not. During the same yum transaction where rh-postgresql12-runtime was installed, there was also an update to selinux-policy and selinux-policy-targeted. Not saying this is the cause, but it might play some role in this as well as the postinstall which should set up the contexts apparently failed silently.

@Jan: Are you able to hit this reliably? If so, could you try fully upgrading the machine before installing satellite?
Comment 13 Lukas Zapletal 2022-06-10 05:22:37 UTC 
If this is the case, the solution for these bugs (postscriplet vs base policy order) can be typically solved by requiring specific selinux-policy version from our foreman-selinux package. We already have such a requirement in our package to workaround other bug so we just need to bump the version:

https://github.com/theforeman/foreman-packaging/blob/rpm/develop/packages/foreman/foreman-selinux/foreman-selinux.spec#L21

It looks like the current version of the SPEC actually requires the version it was installed in the buildroot which is perhaps a good default value but we need to bump this to the required version. Or simply make sure that such version is in the buildroot, this can be done by creating ticket for satellite release engineering.
Comment 14 isinghal 2022-06-11 15:48:50 UTC 
Yes, fully upgrading machine before installing satellite solves the issue. Thank you!
Comment 16 Jan Jansky 2022-06-13 07:26:49 UTC 
@Adam: as i wrote during case opening in January 2021 i was not able to reproduce, it was strictly issue on customer's side, so no i am not able to hit this reliability and no i cannot upgrade the machine before installing Satellite because i do not have reproducer, also cannot ask the customer as cases which hit this are closed for very long time now.
Comment 24 Brad Buckingham 2023-07-21 21:06:39 UTC 
Upon review of our valid but aging backlog the Satellite Team has concluded that this Bugzilla does not meet the criteria for a resolution in the near term, and are planning to close in a month. This message may be a repeat of a previous update and the bug is again being considered to be closed. If you have any concerns about this, please contact your Red Hat Account team.  Thank you.
Comment 25 Ewoud Kohl van Wijngaarden 2023-08-10 13:06:07 UTC 
Since this is all SCL related and that implies RHEL7, I'm going to close this as CURRENTRELEASE. It shouldn't affect RHEL8. Our docs also suggest to run yum/dnf update prior to installation which should also resolve the issue.