Bug 149967 - Postgresql cannot read hosts file, thus if using "virtual_host" in postgresql.conf PostGRES will not start
Postgresql cannot read hosts file, thus if using "virtual_host" in postgresql...
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
3
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-02-28 20:26 EST by Kurt Seifried
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-03-10 00:10:16 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Kurt Seifried 2005-02-28 20:26:19 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.7.3)
Gecko/20041001 Firefox/0.10.1

Description of problem:
The following is from /etc/selinux/config
SELINUX=enforcing
SELINUXTYPE=targeted

From /var/lib/pgsql/data/postgresql.conf:

I made the following changes:

tcpip_socket = true
port = 5432
virtual_host = eth1

I then tried to start Postgresql:

# /etc/rc.d/init.d/postgresql start
Starting postgresql service:                               [FAILED]

And got the following errors in "/var/log/messages":

Feb 28 18:18:25 punky kernel: audit(1109639905.679:0): avc:  denied  {
read } for  pid=30525 exe=/usr/bin/postgres name=hosts dev=dm-0
ino=16334850 scontext=root:system_r:postgresql_t
tcontext=user_u:object_r:tmp_t tclass=file
Feb 28 18:18:25 punky kernel: audit(1109639905.680:0): avc:  denied  {
read } for  pid=30525 exe=/usr/bin/postgres name=hosts dev=dm-0
ino=16334850 scontext=root:system_r:postgresql_t
tcontext=user_u:object_r:tmp_t tclass=file
Feb 28 18:18:27 punky postgresql: Starting postgresql service:  failed

If I comment out the virtual_host in postgresql.conf the server starts
normally (i.e. it does not try to read the hosts file). 



Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.17.30-2.83

How reproducible:
Always

Steps to Reproduce:
1. On a system with SELinux enabled and in enforcing mode, and
SELINUXTYPE is either targeted or strict.
2. Enable the following in postgresql.conf:
tcpip_socket = true
port = 5432
virtual_host = eth1
3. try to start Postgresql

    

Actual Results:  it fails to start

Expected Results:  Postgresql starts 

Additional info:
Comment 1 Daniel Walsh 2005-03-01 08:58:44 EST
It is trying to read a hosts file in the /tmp directory?   Any idea
how did that file get created?
Comment 2 Colin Walters 2005-03-01 10:01:47 EST
My guess is what happened is you (or your editor) created the file in
/tmp, then did "mv /tmp/postgresql.conf /var/lib/pgsql/data".  

Try:

restorecon -v /var/lib/pgsql/data/postgresql.conf
Comment 3 Kurt Seifried 2005-03-01 17:19:54 EST
Huh, why are we talking about the editor? The problem is not the
editor. Editing the file works fine, I turned postgresql off, went to
the /var/lib/pgsql/data/ directory, edited the file, saved the
changes, and checked with less that the file had indeed been changed
appropriately. 

The problem is that when I start postgresql from
/etc/rc.d/init.d/postgresql it fails to start, with no error, and the
messages file about it having failed to read "hosts" (I assume it
means /etc/hosts but I'm not sure as the file location part of the
error is a bit terse). 
Comment 4 Daniel Walsh 2005-03-08 11:45:44 EST
Can you do an ls -lZ /etc/hosts.  Is it tmp_t?

If yes could you execute
restorecon -R -v /etc/hosts

Comment 5 Kurt Seifried 2005-03-08 16:29:10 EST
Here is the output of restorecon -R -v /etc/hosts:

# restorecon -R -v /etc/hosts
restorecon reset context
/etc/hosts:user_u:object_r:tmp_t->system_u:object_r:etc_t

Postgresql still doesn't work. 
Comment 6 Daniel Walsh 2005-03-08 17:03:18 EST
Are you getting other avc messages?

Dan
Comment 7 Kurt Seifried 2005-03-09 14:28:01 EST
I already posted the avc messages, see above in my original report,
anyways here is an avc entry from attempting to start it:

Mar  8 14:27:45 punky kernel: audit(1110317265.163:0): avc:  denied  {
read } for  pid=29041 exe=/usr/bin/postgres name=hosts dev=dm-0
ino=16334850 scontext=root:system_r:postgresql_t
tcontext=user_u:object_r:tmp_t tclass=file

Comment 8 Daniel Walsh 2005-03-09 15:03:19 EST
So your hosts file is back to tmp_t?

ls -lZ /etc/hosts

How do you setup your postgres database to use virtual hosts.

When I add
tcpip_socket = true
port = 5432
virtual_host = eth1

to 
/var/lib/pgsql/data/postgresql.conf

I get errors

FATAL:  unrecognized configuration parameter "tcpip_socket"


Comment 9 Kurt Seifried 2005-03-09 15:18:12 EST
Then you must have a bjorked install cause that's a standard parameter
that makes postgresql listen on a tcp-ip socket. This is a COMPLETELY
standard Fedora Core 3 install from CD, with all updates applied, this
works on systems without selinux, it errors out with selinux enabled. 
Comment 10 Daniel Walsh 2005-03-09 16:17:41 EST
Kurt any chance I could talk to you on chat?
#fedora-selinux on Freenode?

My machine is running postgresql-8.0.1-2

But I have a rhel machine running
7.4.6-1.RHEL4.2 that seems to work, except it does not like eth1.

Dan
Comment 11 Kurt Seifried 2005-03-09 19:15:59 EST
I finally worked up the guts to modify:

/etc/selinux/targeted/contexts/files/file_contexts.pre

and add the line:

/etc/hosts system_u:object_r:postgresql_etc_t

And voila avc no longer complains.  

Also the eth1 was incorrect, I took the "what interface to listen on;
defaults to any" literally and placed "eth1" in there, when in fact it
wants a hostname, hence the programs attempt to read /etc/hosts I'm
guessing. Anyways I have fixed it so if you could add that line to the
 file_contexts.pre that'll keep it working going forward. 
Comment 12 Daniel Walsh 2005-03-09 23:41:13 EST
That is wrong.  You do not want /etc/hosts to be postgresql_etc_t.

That will make that file unreadable by other domains.  /etc/hosts
should be etc_t.

Is postgres trying to write to /etc/hosts?

Dan
Comment 13 Kurt Seifried 2005-03-09 23:55:41 EST
postgresql just wants to read it, like I said on irc I haven't delved
into the guts of selinux policy file creation (normally it works and I
don't have to =). I just read the file and understand it a bit more
etc_t looks like the correct domain as you imply and added the line:

/etc/hosts                      system_u:object_r:etc_t

works. But I don't understand why the line that is already in there:
/etc(/.*)?                      system_u:object_r:etc_t
wouldn't have taken care of it. Anyways adding that line makes it work
so I'm happy.
Comment 14 Daniel Walsh 2005-03-10 00:10:16 EST
It does.  I am closing this bug for now.
Comment 15 Kurt Seifried 2005-03-10 00:18:01 EST
If it covers it why doesn't it work until I specifically add the line:

/etc/hosts                      system_u:object_r:etc_t

??
Comment 16 Daniel Walsh 2005-03-10 00:30:57 EST
What do you get if you don't add that line?

On my machine I get
restorecon -v /etc/hosts
ls -lZ /etc/hosts
-rw-r--r--  root     root     system_u:object_r:etc_t          /etc/hosts
Comment 17 Kurt Seifried 2005-03-10 01:10:03 EST
Ok it's working now, not sure what the heck changed, I did the
restorecon/ls -lZ thing back in comment #5 at which point things were
not working. 

On another fedora 3 server I installed postgresql (it's never had it
on this box). 

ls -laZ /etc/hosts
-rw-r--r--  root     root     user_u:object_r:etc_t   /etc/hosts

and it works, I don't know how the ****ing permissions on /etc/hosts
on the original box got mangled but apparently they did, my apologies
for this mess. :P

Comment 18 Daniel Walsh 2005-03-10 10:03:22 EST
I don't know either, but you can recreate the situation by creating a
hosts file in /tmp and moving it to /etc/.  

restorecon /etc/hosts 

Would then fix it's file context.


Note You need to log in before you can comment on or make changes to this bug.