# TREE rawhide-20050314 # ARCH i386 # RPMS postgresql-8.0.1-5 libselinux-1.22-1 selinux-policy-targeted-1.23.1-1 selinux-policy-targeted-sources-1.23.1-1 # getenforce Enforcing # /etc/init.d/postgresql start Starting postgresql service: [FAILED] [ /var/log/audit.log ] type=KERNEL msg=audit(1110817035.033:12086017): item=1 inode=4812237 dev=00:00 type=KERNEL msg=audit(1110817035.033:12086017): item=0 name=/bin/hostname inode=2324302 dev=00:00 type=KERNEL msg=audit(1110817035.033:12086017): syscall=11 exit=0 a0=9b5b728 a1=9b5c268 a2=9b5c938 a3=0 items=2 pid=5507 loginuid=-1 uid=26 gid=26 euid=26 suid=26 fsuid=26 egid=26 sgid=26 fsgid=26 type=KERNEL msg=audit(1110817035.033:12086017): avc: denied { append } for pid=5507 exe=/bin/hostname path=/var/lib/pgsql/pgstartup.log dev=hda5 ino=2553466 scontext=root:system_r:hostname_t tcontext=system_u:object_r:postgresql_log_t tclass=file type=KERNEL msg=audit(1110817035.085:12086834): item=1 inode=4812237 dev=00:00 type=KERNEL msg=audit(1110817035.085:12086834): item=0 name=/sbin/consoletype inode=4157480 dev=00:00 type=KERNEL msg=audit(1110817035.085:12086834): syscall=11 exit=0 a0=9b63ad0 a1=9b63b30 a2=9b5e248 a3=0 items=2 pid=5518 loginuid=-1 uid=26 gid=26 euid=26 suid=26 fsuid=26 egid=26 sgid=26 fsgid=26 type=KERNEL msg=audit(1110817035.085:12086834): avc: denied { append } for pid=5518 exe=/sbin/consoletype path=/var/lib/pgsql/pgstartup.log dev=hda5 ino=2553466 scontext=root:system_r:consoletype_t tcontext=system_u:object_r:postgresql_log_t tclass=file type=KERNEL msg=audit(1110817035.164:12087507): item=1 inode=4812237 dev=00:00 type=KERNEL msg=audit(1110817035.164:12087507): item=0 name=/bin/hostname inode=2324302 dev=00:00 type=KERNEL msg=audit(1110817035.164:12087507): syscall=11 exit=0 a0=9b5ae40 a1=9b5bc98 a2=9b5e248 a3=0 items=2 pid=5526 loginuid=-1 uid=26 gid=26 euid=26 suid=26 fsuid=26 egid=26 sgid=26 fsgid=26 type=KERNEL msg=audit(1110817035.164:12087507): avc: denied { append } for pid=5526 exe=/bin/hostname path=/var/lib/pgsql/pgstartup.log dev=hda5 ino=2553466 scontext=root:system_r:hostname_t tcontext=system_u:object_r:postgresql_log_t tclass=file type=KERNEL msg=audit(1110817035.216:12088427): item=1 inode=4812237 dev=00:00 type=KERNEL msg=audit(1110817035.216:12088427): item=0 name=/sbin/consoletype inode=4157480 dev=00:00 type=KERNEL msg=audit(1110817035.216:12088427): syscall=11 exit=0 a0=9b65970 a1=9b659e0 a2=9b5d888 a3=0 items=2 pid=5537 loginuid=-1 uid=26 gid=26 euid=26 suid=26 fsuid=26 egid=26 sgid=26 fsgid=26 type=KERNEL msg=audit(1110817035.216:12088427): avc: denied { append } for pid=5537 exe=/sbin/consoletype path=/var/lib/pgsql/pgstartup.log dev=hda5 ino=2553466 scontext=root:system_r:consoletype_t tcontext=system_u:object_r:postgresql_log_t tclass=file <ctrl>-d allow consoletype_t postgresql_log_t:file append; allow hostname_t postgresql_log_t:file append; Being able to append logfiles seems fairly innocuous, so I then added the 2 above rules to /etc/selinux/targeted/src/policy/domains/jlaska.te $ cd /etc/selinux/targeted/src/policy $ make $ make reload # /etc/init.d/postgresql start Starting postgresql service: [ OK ]
Latest policy no longer has hostname or consoletype. selinux-policy-targeted-1.23.4-4 should fix this.
Appears to be resolved ... tested against selinux-policy-targeted-1.23.5-1. Still observing random false FAILED message when starting postgres but there are no auditlog messages and it appears to happen in enforcing and Permissive modes. Closing this defect as the reported problem no longer occurs.