Bug 1484569 - 'map' denials prevent PostgreSQL starting
Summary: 'map' denials prevent PostgreSQL starting
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 27
Hardware: All
OS: Linux
unspecified
urgent
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks: F27BetaBlocker
TreeView+ depends on / blocked
 
Reported: 2017-08-23 21:32 UTC by Adam Williamson
Modified: 2017-09-20 15:27 UTC (History)
5 users (show)

Fixed In Version: selinux-policy-3.13.1-276.fc27
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-09-19 13:49:28 UTC
Type: Bug


Attachments (Terms of Use)

Description Adam Williamson 2017-08-23 21:32:05 UTC
Another casualty of the new 'map' permission is PostgreSQL. The openQA test which tests deployment of the 'database server' role (which uses postgre) fails due to postgre failing to start up. Looking at the logs, this is clearly caused by a couple of 'map' denials:

Aug 22 14:07:20 db.domain.local audit[2144]: AVC avc:  denied  { map } for  pid=2144 comm="postgres" path=2F616E6F6E5F6875676570616765202864656C6574656429 dev="hugetlbfs" ino=27249 scontext=system_u:system_r:postgresql_t:s0 tcontext=system_u:object_r:hugetlbfs_t:s0 tclass=file permissive=0
Aug 22 14:07:20 db.domain.local audit[2144]: AVC avc:  denied  { map } for  pid=2144 comm="postgres" path="/dev/shm/PostgreSQL.621596145" dev="tmpfs" ino=27252 scontext=system_u:system_r:postgresql_t:s0 tcontext=system_u:object_r:postgresql_tmp_t:s0 tclass=file permissive=0
Aug 22 14:07:20 db.domain.local postgresql-ctl[2142]: FATAL:  could not map shared memory segment "/PostgreSQL.621596145": Permission denied
Aug 22 14:07:20 db.domain.local postgresql-ctl[2142]: LOG:  database system is shut down
Aug 22 14:07:21 db.domain.local postgresql-ctl[2142]: pg_ctl: could not start server
Aug 22 14:07:21 db.domain.local postgresql-ctl[2142]: Examine the log output.
Aug 22 14:07:21 db.domain.local systemd[1]: postgresql.service: Control process exited, code=exited status=1
Aug 22 14:07:21 db.domain.local systemd[1]: Failed to start PostgreSQL database server.
Aug 22 14:07:21 db.domain.local systemd[1]: postgresql.service: Unit entered failed state.

This is another clear Beta blocker, per Alpha criterion "Release-blocking roles and the supported role configuration interfaces must meet the core functional Role Definition Requirements to the extent that supported roles can be successfully deployed, started..." - 'database server' is a release-blocking role.

Comment 1 Adam Williamson 2017-09-04 17:03:52 UTC
openQA testing confirms this is fixed in recent composes with selinux-policy-3.13.1-278.fc27 .

Comment 2 Fedora Update System 2017-09-18 13:37:49 UTC
selinux-policy-3.13.1-283.3.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-a1b4dab97d

Comment 3 Fedora Update System 2017-09-18 22:23:45 UTC
selinux-policy-3.13.1-283.3.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-a1b4dab97d

Comment 4 František Zatloukal 2017-09-19 09:28:39 UTC
Closing again, bug is fixed in latest update.

Comment 5 Andre Robatino 2017-09-19 09:32:09 UTC
I believe it's SOP for blocker bugs to be left open until they actually get pushed stable, for tracking purposes. Adam could confirm that (or close it again if not).

Comment 6 Andre Robatino 2017-09-19 09:33:32 UTC
Never mind, I see it's not an accepted blocker. I'll close it again.

Comment 7 Andre Robatino 2017-09-19 09:46:35 UTC
To be safe I'm going to reopen this. The blocker bug tracker doesn't appear to show any closed bugs. If this bug is visible on the tracker, its status can be fixed if necessary. Sorry for the extra noise.

Comment 8 Kamil Páral 2017-09-19 13:49:28 UTC
Adam verified this is fixed with a build that's already stable, so there's no harm having it closed.

Comment 9 Fedora Update System 2017-09-20 15:27:12 UTC
selinux-policy-3.13.1-283.3.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.