Bug 812478

Summary: SELinux is preventing /usr/bin/initdb from 'append' accesses on the file /var/lib/pgsql/initdb.log.
Product: [Fedora] Fedora Reporter: Luke Macken <lmacken>
Component: postgresqlAssignee: Pavel Raiskup <praiskup>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 17CC: devrim, dominick.grift, dwalsh, hhorak, mgrepl, pfrields, tgl
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:7290333fa07401a1ad7d1e4eac32463b5fbedea5939531fb653a26f96d9d86d8
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-06-04 11:35:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Luke Macken 2012-04-13 20:38:31 UTC 
libreport version: 2.0.10
executable:     /usr/bin/python2.7
hashmarkername: setroubleshoot
kernel:         3.3.1-3.fc17.x86_64
time:           Fri 13 Apr 2012 04:38:14 PM EDT

description:
:SELinux is preventing /usr/bin/initdb from 'append' accesses on the file /var/lib/pgsql/initdb.log.
:
:*****  Plugin leaks (86.2 confidence) suggests  ******************************
:
:If you want to ignore initdb trying to append access the initdb.log file, because you believe it should not need this access.
:Then you should report this as a bug.  
:You can generate a local policy module to dontaudit this access.
:Do
:# grep /usr/bin/initdb /var/log/audit/audit.log | audit2allow -D -M mypol
:# semodule -i mypol.pp
:
:*****  Plugin catchall (14.7 confidence) suggests  ***************************
:
:If you believe that initdb should be allowed append access on the initdb.log file by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep initdb /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                unconfined_u:system_r:postgresql_t:s0
:Target Context                unconfined_u:object_r:var_lib_t:s0
:Target Objects                /var/lib/pgsql/initdb.log [ file ]
:Source                        initdb
:Source Path                   /usr/bin/initdb
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           postgresql-server-9.1.3-3.fc17.x86_64
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-110.fc17.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Permissive
:Host Name                     (removed)
:Platform                      Linux (removed) 3.3.1-3.fc17.x86_64 #1 SMP Wed
:                              Apr 4 18:13:49 UTC 2012 x86_64 x86_64
:Alert Count                   2
:First Seen                    Fri 13 Apr 2012 04:36:58 PM EDT
:Last Seen                     Fri 13 Apr 2012 04:37:43 PM EDT
:Local ID                      123f4f29-f00f-4439-b739-608c44f05f21
:
:Raw Audit Messages
:type=AVC msg=audit(1334349463.354:965): avc:  denied  { append } for  pid=24722 comm="initdb" path="/var/lib/pgsql/initdb.log" dev="dm-2" ino=5123635 scontext=unconfined_u:system_r:postgresql_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
:
:
:type=SYSCALL msg=audit(1334349463.354:965): arch=x86_64 syscall=execve success=yes exit=0 a0=20f0290 a1=20e20a0 a2=20f1520 a3=20 items=0 ppid=24721 pid=24722 auid=1000 uid=26 gid=26 euid=26 suid=26 fsuid=26 egid=26 sgid=26 fsgid=26 tty=(none) ses=28 comm=initdb exe=/usr/bin/initdb subj=unconfined_u:system_r:postgresql_t:s0 key=(null)
:
:Hash: initdb,postgresql_t,var_lib_t,file,append
:
:audit2allowunable to open /sys/fs/selinux/policy:  Permission denied
:
:
:audit2allow -Runable to open /sys/fs/selinux/policy:  Permission denied
:
:
Comment 1 Luke Macken 2012-04-13 20:39:00 UTC 
type=AVC msg=audit(1334349463.375:966): avc:  denied  { getattr } for  pid=24722 comm="initdb" path="/var/lib/pgsql/initdb.log" dev="dm-2" ino=5123635 scontext=unconfined_u:system_r:postgresql_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
Comment 2 Daniel Walsh 2012-04-13 20:53:01 UTC 
Why isn't this file in /var/log/pgsql/
Comment 3 Tom Lane 2012-04-13 22:07:22 UTC 
We don't use /var/log/pgsql/, for anything.  This location of the initdb log file has been in use for a long time, why did it suddenly break?
Comment 4 Daniel Walsh 2012-04-20 14:07:15 UTC 
Here is the labeling we have had for postgress for a long time.  Did initdb.log used to be in the /var/lib/pgsql/logfile?  Should we label /var/lib/pgsql as postgresql_db_t?

/var/lib/postgres(ql)?(/.*)? 		gen_context(system_u:object_r:postgresql_db_t,s0)

/var/lib/pgsql/data(/.*)?		gen_context(system_u:object_r:postgresql_db_t,s0)
/var/lib/pgsql/logfile(/.*)?		gen_context(system_u:object_r:postgresql_log_t,s0)
/var/lib/pgsql/pgstartup\.log		gen_context(system_u:object_r:postgresql_log_t,s0)

/var/lib/sepgsql(/.*)?			gen_context(system_u:object_r:postgresql_db_t,s0)
/var/lib/sepgsql/pgstartup\.log	--	gen_context(system_u:object_r:postgresql_log_t,s0)

/var/log/postgres\.log.* 	--	gen_context(system_u:object_r:postgresql_log_t,s0)
/var/log/postgresql(/.*)?		gen_context(system_u:object_r:postgresql_log_t,s0)
/var/log/sepostgresql\.log.*	--	gen_context(system_u:object_r:postgresql_log_t,s0)

ifdef(`distro_redhat', `
/var/log/rhdb/rhdb(/.*)?		gen_context(system_u:object_r:postgresql_log_t,s0)
')

/var/run/postgresql(/.*)?		gen_context(system_u:object_r:postgresql_var_run_t,s0)
Comment 5 Daniel Walsh 2012-04-20 14:10:55 UTC 
Changed labeling in selinux-policy-3.10.0-117.fc17
Comment 6 Tom Lane 2012-04-20 14:55:47 UTC 
Hm, I wonder how this ever worked?  /var/lib/pgsql/ has been the place for a very long time; AFAIK the RPMs have been using that as the standard data directory location for ten years or so.  We have never used /var/lib/postgres or /var/lib/postgresql.  I don't believe we have ever put anything into /var/log/ at all.

I would suggest labeling /var/lib/pgsql/.*.log as well as /var/lib/pgsql/data/pg_log/.* as postgresql_log_t.

I have no objection to continuing to label the other directories as you have them, since it's possible people are relying on those for custom setups.  But it might be a good idea to add comments about which ones are standard and which not.
Comment 7 Fedora Admin XMLRPC Client 2013-05-09 14:06:44 UTC 
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 8 Fedora Admin XMLRPC Client 2013-05-16 09:59:07 UTC 
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 9 Pavel Raiskup 2013-06-04 11:35:15 UTC 
Following hunk in policy-rawhide-base.patch fixes the issue.  No need to keep
this open then, I guess.

@@ -28,9 +28,9 @@ ifdef(`distro_redhat', `
 #
 /var/lib/postgres(ql)?(/.*)?           gen_context(system_u:object_r:postgresql_db_t,s0)
 
-/var/lib/pgsql/data(/.*)?              gen_context(system_u:object_r:postgresql_db_t,s0)
+/var/lib/pgsql(/.*)?                   gen_context(system_u:object_r:postgresql_db_t,s0)
 /var/lib/pgsql/logfile(/.*)?           gen_context(system_u:object_r:postgresql_log_t,s0)
-/var/lib/pgsql/pgstartup\.log          gen_context(system_u:object_r:postgresql_log_t,s0)
+/var/lib/pgsql/.*\.log                 gen_context(system_u:object_r:postgresql_log_t,s0)
 
 /var/lib/sepgsql(/.*)?                 gen_context(system_u:object_r:postgresql_db_t,s0)
 /var/lib/sepgsql/pgstartup\.log        --      gen_context(system_u:object_r:postgresql_log_t,s0)