Bug 691546

Summary:	erroneous postgres user restriction
Product:	[Fedora] Fedora	Reporter:	roland
Component:	selinux-policy	Assignee:	Miroslav Grepl <mgrepl>
Status:	CLOSED WONTFIX	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	high	Docs Contact:
Priority:	unspecified
Version:	14	CC:	dwalsh, mgrepl
Target Milestone:	---	Keywords:	Reopened
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2012-08-16 21:31:59 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:

Description roland 2011-03-28 19:48:01 UTC

Description of problem:
postgres not allowed access to subdirectories when it doesn't have access to parent

Version-Release number of selected component (if applicable):


How reproducible:
100%

Steps to Reproduce:
1.  Raw install of Fedora14
2.  Manually hack everything necessary to get PostgreSQL started
3.  create a directory under a user owned partition, change owner of new directory to postgres
4.  Attempt to create tablespace and wait for security alert after failure
  
Actual results:
security failure

Expected results:
tablespace should be created

Additional info:

I run the following commands every time I install a new OpenSuSE or Ubuntu machine.

sudo -u postgres createuser -s --pwprompt roland

#   Need to use pwprompt to prompt for password so xpnsqt will
#   be able to connect to the database.
#

sudo mkdir /db_data/postgres_data
sudo chown postgres:postgres /db_data/postgres_data

psql -d postgres -c " create tablespace bigspace location '/db_data/postgres_data' "


It always works, but not on fedora.  Had to follow SELinux command suggestions to add exception.  This should be the rule, not the exception.

Comment 1 Miroslav Grepl 2011-03-29 11:03:44 UTC

You will need to setup labeling for the /db_data directory. Try to execute

# semanage fcontext -a -t  postgresql_db_t  '/db_data(/.*)?'
# restorecon -R -v /db_data

Comment 2 Miroslav Grepl 2011-03-29 11:04:06 UTC

*** Bug 691551 has been marked as a duplicate of this bug. ***

Comment 3 Miroslav Grepl 2011-03-29 11:04:44 UTC

*** Bug 691559 has been marked as a duplicate of this bug. ***

Comment 4 Miroslav Grepl 2011-03-29 11:05:11 UTC

*** Bug 691562 has been marked as a duplicate of this bug. ***

Comment 5 roland 2011-03-29 18:27:28 UTC

(In reply to comment #1)
> You will need to setup labeling for the /db_data directory. Try to execute
> 
> # semanage fcontext -a -t  postgresql_db_t  '/db_data(/.*)?'
> # restorecon -R -v /db_data

I tried _every_ suggestion listed.  NONE of them work.  This version of the package was _never_ tested with PostgreSQL.  I finally had to hand edit the file to make it permissive or whatever.

If you have any user owning a directory  above which postgres:postgres owns a directory there is absolutely no "settings" which work to clear this error and allow PostgreSQL to create tablespace.

Comment 6 Daniel Walsh 2011-03-29 19:33:52 UTC

ls -lZ /db_data

Comment 7 roland 2011-03-29 19:41:27 UTC

(In reply to comment #6)
> ls -lZ /db_data

[roland@localhost ~]$ ls -lZ /db_data
drwx------. root     root     system_u:object_r:file_t:s0      lost+found
drwx------. postgres postgres unconfined_u:object_r:file_t:s0  postgres_data
[roland@localhost ~]$ 
[roland@localhost ~]$ sudo ls -lZ /db_data
[sudo] password for roland: 
Sorry, try again.
[sudo] password for roland: 
drwx------. root     root     system_u:object_r:file_t:s0      lost+found
drwx------. postgres postgres unconfined_u:object_r:file_t:s0  postgres_data
[roland@localhost ~]$

Comment 8 Daniel Walsh 2011-03-29 20:26:36 UTC

Which means you have no labels assigned.
What happens when you run 

restorecon -R -v /db_data

What does 
matchpathcon /deb_data 
output?

Comment 9 roland 2011-03-29 20:35:18 UTC

(In reply to comment #8)
> Which means you have no labels assigned.
> What happens when you run 
> 
> restorecon -R -v /db_data
> 
> What does 
> matchpathcon /deb_data 
> output?

restorecon reset /db_data/postgres_data/16950/2679 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16950/2675 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16950/11457 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16950/2654 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16950/2753_vm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16950/2753 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16950/2615_vm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16950/1247_fsm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16950/2684 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16950/11447_vm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16950/2616_vm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16950/11471 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16950/2659 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16950/2601_fsm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16950/2664 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16950/2838_fsm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16950/11462_vm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16950/3601_fsm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16950/2693 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16950/2651 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16950/11467 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16950/2608 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16950/2611 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16950/11472_vm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16950/2661 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16950/3603_fsm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16950/2650 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16950/2603_fsm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16950/2841 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16950/16951 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16950/11469 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2840_fsm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/3603 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/1418 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2680 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2618_fsm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2606_fsm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/3600_fsm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2608_vm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/549 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2691 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2328 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2602_vm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/11447_fsm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2617_fsm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2610_fsm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/11462_fsm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/1249 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2685 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/11449 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/11477 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/pg_internal.init context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/3764_vm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2668 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/1417 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2620 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/1259_vm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/175 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2660 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2612_fsm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/3502 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2840_vm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2681 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2667 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2830 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2602 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2755 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2831 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/548 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/11459 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/3608 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/3712 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2682 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/1255_vm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/1255_fsm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/16626_fsm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2703 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2683 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2620_vm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2834 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2832 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/3604 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2699 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2838 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2620_fsm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2616_fsm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/3603_vm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2618 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/3764 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2600_vm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2613 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2619 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2687 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/11452_vm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/3602 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2652 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2603_vm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/1259_fsm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2655 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2836 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/3602_vm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/174 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/3609 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2690 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/11464 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2839 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2833 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/11456 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/1255 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2617 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/11457_fsm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2610_vm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/3601_vm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/1259 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/16620 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2615_fsm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/16648 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/3503 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/11457_vm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/3606 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2617_vm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2840 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2616 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/11452 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2673 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/16624 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/11472 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/11462 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/11472_fsm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/16626 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/3605 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2689 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/11466 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2600_fsm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/16631 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2609 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/1247_vm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2604 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2602_fsm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2601 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2607_fsm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/112 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/11447 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2692 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/11454 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2600 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2608_fsm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/11461 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2612 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/11474 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2603 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2605 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2615 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2614 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2665 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2678 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2756 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2754 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2662 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2656 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2837 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/113 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/3764_fsm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/11452_fsm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/11481 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2696 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2701 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/3600_vm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/16633_fsm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/PG_VERSION context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2688 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/11476 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2663 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2658 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/11451 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/3766 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/1249_vm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/3767 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2674 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2618_vm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2609_fsm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/1249_fsm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2753_fsm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/3501 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2601_vm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2605_fsm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/11479 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/3602_fsm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2669 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2607 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/11467_vm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/1247 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2835 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2838_vm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2619_vm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2653 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2609_vm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2619_fsm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/3600 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/11467_fsm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2657 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2607_vm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/3601 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2686 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2610 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/3607 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2666 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2605_vm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2757 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2606_vm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2704 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2606 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/16629 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2670 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2612_vm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2702 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2679 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2675 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/11457 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2654 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2753_vm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2753 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2615_vm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/16633 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/1247_fsm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2684 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/11447_vm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2616_vm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/11471 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2659 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2601_fsm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2664 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2838_fsm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/11462_vm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/3601_fsm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2693 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2651 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/11467 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2608 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2611 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/11472_vm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2661 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/3603_fsm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2650 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2603_fsm context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/2841 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/postgres_data/16619/11469 context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
restorecon reset /db_data/lost+found context system_u:object_r:file_t:s0->system_u:object_r:default_t:s0
[roland@localhost ~]$ 
[roland@localhost ~]$ 
[roland@localhost ~]$ 
[roland@localhost ~]$ matchpathcon /deb_data 
/deb_data	system_u:object_r:etc_runtime_t:s0
[roland@localhost ~]$ sudo matchpathcon /deb_data 
/deb_data	system_u:object_r:etc_runtime_t:s0
[roland@localhost ~]$ 
[roland@localhost ~]$ 
[roland@localhost ~]$ matchpathcon /db_data 
/db_data	system_u:object_r:default_t:s0
[roland@localhost ~]$ sudo matchpathcon /db_data 
/db_data	system_u:object_r:default_t:s0
[roland@localhost ~]$

Comment 10 Miroslav Grepl 2011-03-29 20:40:22 UTC

Did you really run 

semanage fcontext -a -t  postgresql_db_t  '/db_data(/.*)?'

command?

Comment 11 roland 2011-03-29 20:59:19 UTC

(In reply to comment #10)
> Did you really run 
> 
> semanage fcontext -a -t  postgresql_db_t  '/db_data(/.*)?'
> 
> command?

I ran every "suggestion" SELinux Trouble shooting tossed at me.  There were many many many _t things applied to /db_data and /postgres_data, I did not save a complete list as I quite counting after 30.

Nothing the "Troubleshooting" guide suggested worked, NOT EVEN THE GREP COMMAND SEQUENCE TO GENERATE AND ADD A RULE.

I can only conclude that SELinux was never tested with PostgreSQL at any point in time.

Comment 12 Miroslav Grepl 2011-03-30 13:31:35 UTC

Ok, could you please try to run

# chcon -R -t postgresql_db_t /db_data
# ls -dZ /db_data

Comment 13 roland 2011-03-30 23:03:56 UTC

(In reply to comment #12)
> Ok, could you please try to run
> 
> # chcon -R -t postgresql_db_t /db_data
> # ls -dZ /db_data

[roland@localhost ~]$ chcon -R -t postgresql_db_t /db_data
chcon: cannot read directory `/db_data/postgres_data': Permission denied
chcon: cannot read directory `/db_data/lost+found': Permission denied
chcon: failed to change context of `/db_data' to `system_u:object_r:postgresql_db_t:s0': Operation not permitted
[roland@localhost ~]$ sudo chcon -R -t postgresql_db_t /db_data
[sudo] password for roland: 
Sorry, try again.
[sudo] password for roland: 
[roland@localhost ~]$ 
[roland@localhost ~]$ 
[roland@localhost ~]$ 
[roland@localhost ~]$ ls -dZ /db_data
drwxr-xr-x. postgres postgres system_u:object_r:postgresql_db_t:s0 /db_data
[roland@localhost ~]$ sudo 
usage: sudo -h | -K | -k | -L | -V
usage: sudo -v [-AknS] [-g groupname|#gid] [-p prompt] [-u user name|#uid]
usage: sudo -l[l] [-AknS] [-g groupname|#gid] [-p prompt] [-U user name] [-u
            user name|#uid] [-g groupname|#gid] [command]
usage: sudo [-AbEHknPS] [-r role] [-t type] [-C fd] [-g groupname|#gid] [-p
            prompt] [-u user name|#uid] [-g groupname|#gid] [VAR=value] [-i|-s]
            [<command>]
usage: sudo -e [-AknS] [-r role] [-t type] [-C fd] [-g groupname|#gid] [-p
            prompt] [-u user name|#uid] file ...
[roland@localhost ~]$ sudo ls -dZ /db_data
drwxr-xr-x. postgres postgres system_u:object_r:postgresql_db_t:s0 /db_data
[roland@localhost ~]$

Comment 14 Miroslav Grepl 2011-03-31 06:39:02 UTC

Ok, this is a right context. Does PostgreSQL work?

Comment 15 roland 2011-03-31 14:16:33 UTC

(In reply to comment #14)
> Ok, this is a right context. Does PostgreSQL work?

As I said, I had to turn SELinux off.  I'm leaving it off.  I'm never enabling that busted hunk of doo-doo again.

The commands you had me issue where _never_ provided in the Trouble shooting, so you need to start fixing there.  The setup is easy.

Create a shiny new partition you own that is ext3.
Create a directory in it own by postgres:postgres
Try to create tablespace there.

Comment 16 Daniel Walsh 2011-03-31 16:08:02 UTC

Well thanks for your kind words.

SELinux worked properly.  The setroubleshoot command even told you to fix the labels on the new disk.  Perhaps it did not figure out the entire path.

You understand DAC since you stated that you fixed the setup with the following two commands.

sudo mkdir /db_data/postgres_data
sudo chown postgres:postgres /db_data/postgres_data

Miroslav told you in the first line how to fix SELinux.

# semanage fcontext -a -t  postgresql_db_t  '/db_data(/.*)?'
# restorecon -R -v /db_data

Which is pretty much the equivalent of the chown line above.  These lines tell SELinux that /db_data will contain a postgresql database.

restorcon just puts the labels on the disk.

You never attached the setroubleshoot, which might may or maynot have told you the same thing.

Comment 17 roland 2011-03-31 16:23:35 UTC

Despite your opinion SELinux did not work correctly.

-----
You understand DAC since you stated that you fixed the setup with the following
two commands.

sudo mkdir /db_data/postgres_data
sudo chown postgres:postgres /db_data/postgres_data

-----
I "fixed" the problem by disabling SELinux. I created the directories and changed ownership BEFORE attempting to create tablespace with Postgres.

The troubleshooting suggestions, of which I applied ALL, never once "fixed" the problem. We do not, today, even know if what you said "fixed" the problem because I will not enable SELinux again, it is poorly thought out and sadly implemented.

I gave you the scenario where SELinux and its trouble shooting suggestions produce a failure of biblical proportions wasting no less than 6 hours of a users time.

1) Create a shiny new ext3 partition with a label and mount point of /db_data. Jump through all of the needless hoops in Fedora to get that drive automatically mounted with system boot.

2) Install PostgreSQL

3) create a directory under /db_data with whatever name you want and change the owner to postgres:postgres

4) Attempt to create tablespace changing postgres_data to be the directory you created.
psql -d postgres -c " create tablespace bigspace location '/db_data/postgres_data' "

5) Watch SELinux fail time and time again. Apply each of its "troubleshooting suggestions" and watch it continue to fail. Spend 6 hours applying those "suggested tags" one at a (^)(&*ing time doing the restorecon command IT gives you, not one you pluck from somewhere else,

6) Eventually you will completely disable SELinux because the "product", and I use that term loosely, should have never shipped or been installed by default.

Comment 18 Daniel Walsh 2011-03-31 16:34:03 UTC

And yet you still have not produced the sealert message suggestion.

There were multiple ways of fixing this, I would just like to see what the setroubleshoot suggestion was.  But sadly you would rather take a dump on our work then give us the alert message.

Comment 19 roland 2011-03-31 17:28:47 UTC

(In reply to comment #18)
> And yet you still have not produced the sealert message suggestion.
> 
> There were multiple ways of fixing this, I would just like to see what the
> setroubleshoot suggestion was.  But sadly you would rather take a dump on our
> work then give us the alert message.

Sadly, when given the exact 4 steps to reproduce exactly what you wish to see, steps that will reproduce it 100% of the time, you would rather wine and snivel about people saying your "work" wasn't the answer to world hunger rather than do what a developer would to and TEST.

Comment 20 Fedora End Of Life 2012-08-16 21:32:02 UTC

This message is a notice that Fedora 14 is now at end of life. Fedora 
has stopped maintaining and issuing updates for Fedora 14. It is 
Fedora's policy to close all bug reports from releases that are no 
longer maintained.  At this time, all open bugs with a Fedora 'version'
of '14' have been closed as WONTFIX.

(Please note: Our normal process is to give advanced warning of this 
occurring, but we forgot to do that. A thousand apologies.)

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, feel free to reopen 
this bug and simply change the 'version' to a later Fedora version.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we were unable to fix it before Fedora 14 reached end of life. If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora, you are encouraged to click on 
"Clone This Bug" (top right of this page) and open it against that 
version of Fedora.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping