Bug 551063

Summary: selinux prevents postgresql-test regression tests from succeeding
Product: Red Hat Enterprise Linux 5 Reporter: Tom Lane <tgl>
Component: selinux-policy-targetedAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: low Docs Contact:
Priority: high    
Version: 5.5CC: dwalsh, ebenes, hhorak, mmalik
Target Milestone: beta   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-03-30 07:49:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 550783    

Description Tom Lane 2009-12-28 19:27:50 UTC 
Description of problem:
The postgresql regression tests include some .so files that need to be dynamically loaded by the postgresql server.  This worked last time I checked it in Fedora, but I find that selinux prevents it in RHEL5.5.  I get

ERROR:  could not load library "/usr/lib64/pgsql/test/regress/regress.so": /usr/lib64/pgsql/test/regress/regress.so: failed to map segment from shared object: Permission denied

although curiously there is nothing in /var/log/messages about it

Version-Release number of selected component (if applicable):
selinux-policy-2.4.6-267.el5

How reproducible:
100%

Steps to Reproduce:
1.  Install postgresql-test (and therefore also postgresql-server etc)
2.  service postgresql start
3.  su postgres
4.  cd /usr/lib(64)/pgsql/test/regress
5.  make check

Actual results:
several tests fail; all of the errors trace to being unable to load several .so files that are
installed in the regress directory.

Expected results:
regression tests should all pass

Additional info:
ls -Z shows the .so's are labeled postgresql_db_t which is probably the wrong thing.  On my F-11 box they show up as lib_t.
Comment 1 Daniel Walsh 2009-12-29 23:19:44 UTC 
Miroslav, looks like we need

/var/lib(64)?/pgsql/.*\.so.*		--	gen_context(system_u:object_r:lib_t,s0)
/var/lib(64)?/pgsql/test/regress/.*\.so.*		--	gen_context(system_u:object_r:lib_t,s0)
Comment 2 Tom Lane 2009-12-30 00:39:36 UTC 
/usr, please, not /var

Also, now that I'm looking at this, we should also allow loading libraries from

/usr/lib(64)?/pgsql/plugins/.*\.so.*

which is a subdirectory that's allowed in recent PG releases.
Comment 3 Daniel Walsh 2009-12-30 00:57:22 UTC 
I guess I should not be doing this late night in a ski lodge.   

Sorry Tom.
Comment 5 Miroslav Grepl 2010-01-05 17:27:22 UTC 
Fixed in selinux-policy-2.4.6-268.el5
Comment 9 errata-xmlrpc 2010-03-30 07:49:31 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2010-0182.html