Bug 151073 - postgresql fails to start in rawhide with SELinux Enforcing
Summary: postgresql fails to start in rawhide with SELinux Enforcing
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-03-14 16:25 UTC by James Laska
Modified: 2013-09-02 06:05 UTC (History)
2 users (show)

Fixed In Version: 1.23.4-4
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-03-28 13:29:32 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description James Laska 2005-03-14 16:25:43 UTC
# TREE rawhide-20050314
# ARCH i386
# RPMS postgresql-8.0.1-5
libselinux-1.22-1
selinux-policy-targeted-1.23.1-1
selinux-policy-targeted-sources-1.23.1-1

# getenforce
Enforcing

# /etc/init.d/postgresql start
Starting postgresql service:                               [FAILED]

[ /var/log/audit.log ]
type=KERNEL msg=audit(1110817035.033:12086017): item=1 inode=4812237 dev=00:00
type=KERNEL msg=audit(1110817035.033:12086017): item=0 name=/bin/hostname
inode=2324302 dev=00:00
type=KERNEL msg=audit(1110817035.033:12086017): syscall=11 exit=0 a0=9b5b728
a1=9b5c268 a2=9b5c938 a3=0 items=2 pid=5507 loginuid=-1 uid=26 gid=26 euid=26
suid=26 fsuid=26 egid=26 sgid=26 fsgid=26
type=KERNEL msg=audit(1110817035.033:12086017): avc:  denied  { append } for 
pid=5507 exe=/bin/hostname path=/var/lib/pgsql/pgstartup.log dev=hda5
ino=2553466 scontext=root:system_r:hostname_t
tcontext=system_u:object_r:postgresql_log_t tclass=file
type=KERNEL msg=audit(1110817035.085:12086834): item=1 inode=4812237 dev=00:00
type=KERNEL msg=audit(1110817035.085:12086834): item=0 name=/sbin/consoletype
inode=4157480 dev=00:00
type=KERNEL msg=audit(1110817035.085:12086834): syscall=11 exit=0 a0=9b63ad0
a1=9b63b30 a2=9b5e248 a3=0 items=2 pid=5518 loginuid=-1 uid=26 gid=26 euid=26
suid=26 fsuid=26 egid=26 sgid=26 fsgid=26
type=KERNEL msg=audit(1110817035.085:12086834): avc:  denied  { append } for 
pid=5518 exe=/sbin/consoletype path=/var/lib/pgsql/pgstartup.log dev=hda5
ino=2553466 scontext=root:system_r:consoletype_t
tcontext=system_u:object_r:postgresql_log_t tclass=file
type=KERNEL msg=audit(1110817035.164:12087507): item=1 inode=4812237 dev=00:00
type=KERNEL msg=audit(1110817035.164:12087507): item=0 name=/bin/hostname
inode=2324302 dev=00:00
type=KERNEL msg=audit(1110817035.164:12087507): syscall=11 exit=0 a0=9b5ae40
a1=9b5bc98 a2=9b5e248 a3=0 items=2 pid=5526 loginuid=-1 uid=26 gid=26 euid=26
suid=26 fsuid=26 egid=26 sgid=26 fsgid=26
type=KERNEL msg=audit(1110817035.164:12087507): avc:  denied  { append } for 
pid=5526 exe=/bin/hostname path=/var/lib/pgsql/pgstartup.log dev=hda5
ino=2553466 scontext=root:system_r:hostname_t
tcontext=system_u:object_r:postgresql_log_t tclass=file
type=KERNEL msg=audit(1110817035.216:12088427): item=1 inode=4812237 dev=00:00
type=KERNEL msg=audit(1110817035.216:12088427): item=0 name=/sbin/consoletype
inode=4157480 dev=00:00
type=KERNEL msg=audit(1110817035.216:12088427): syscall=11 exit=0 a0=9b65970
a1=9b659e0 a2=9b5d888 a3=0 items=2 pid=5537 loginuid=-1 uid=26 gid=26 euid=26
suid=26 fsuid=26 egid=26 sgid=26 fsgid=26
type=KERNEL msg=audit(1110817035.216:12088427): avc:  denied  { append } for 
pid=5537 exe=/sbin/consoletype path=/var/lib/pgsql/pgstartup.log dev=hda5
ino=2553466 scontext=root:system_r:consoletype_t
tcontext=system_u:object_r:postgresql_log_t tclass=file

<ctrl>-d

allow consoletype_t postgresql_log_t:file append;
allow hostname_t postgresql_log_t:file append;

Being able to append logfiles seems fairly innocuous, so I then added the 2
above rules to /etc/selinux/targeted/src/policy/domains/jlaska.te
$ cd /etc/selinux/targeted/src/policy
$ make
$ make reload

# /etc/init.d/postgresql start
Starting postgresql service:                               [  OK  ]

Comment 1 Daniel Walsh 2005-03-24 21:51:46 UTC
Latest policy no longer has hostname or consoletype.

selinux-policy-targeted-1.23.4-4 should fix this.

Comment 2 James Laska 2005-03-28 13:29:32 UTC
Appears to be resolved ... tested against selinux-policy-targeted-1.23.5-1. 
Still observing random false FAILED message when starting postgres but there are
no auditlog messages and it appears to happen in enforcing and Permissive modes.
 Closing this defect as the reported problem no longer occurs.


Note You need to log in before you can comment on or make changes to this bug.