Bug 151073 - postgresql fails to start in rawhide with SELinux Enforcing
postgresql fails to start in rawhide with SELinux Enforcing
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-03-14 11:25 EST by James Laska
Modified: 2013-09-02 02:05 EDT (History)
2 users (show)

See Also:
Fixed In Version: 1.23.4-4
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-03-28 08:29:32 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description James Laska 2005-03-14 11:25:43 EST
# TREE rawhide-20050314
# ARCH i386
# RPMS postgresql-8.0.1-5
libselinux-1.22-1
selinux-policy-targeted-1.23.1-1
selinux-policy-targeted-sources-1.23.1-1

# getenforce
Enforcing

# /etc/init.d/postgresql start
Starting postgresql service:                               [FAILED]

[ /var/log/audit.log ]
type=KERNEL msg=audit(1110817035.033:12086017): item=1 inode=4812237 dev=00:00
type=KERNEL msg=audit(1110817035.033:12086017): item=0 name=/bin/hostname
inode=2324302 dev=00:00
type=KERNEL msg=audit(1110817035.033:12086017): syscall=11 exit=0 a0=9b5b728
a1=9b5c268 a2=9b5c938 a3=0 items=2 pid=5507 loginuid=-1 uid=26 gid=26 euid=26
suid=26 fsuid=26 egid=26 sgid=26 fsgid=26
type=KERNEL msg=audit(1110817035.033:12086017): avc:  denied  { append } for 
pid=5507 exe=/bin/hostname path=/var/lib/pgsql/pgstartup.log dev=hda5
ino=2553466 scontext=root:system_r:hostname_t
tcontext=system_u:object_r:postgresql_log_t tclass=file
type=KERNEL msg=audit(1110817035.085:12086834): item=1 inode=4812237 dev=00:00
type=KERNEL msg=audit(1110817035.085:12086834): item=0 name=/sbin/consoletype
inode=4157480 dev=00:00
type=KERNEL msg=audit(1110817035.085:12086834): syscall=11 exit=0 a0=9b63ad0
a1=9b63b30 a2=9b5e248 a3=0 items=2 pid=5518 loginuid=-1 uid=26 gid=26 euid=26
suid=26 fsuid=26 egid=26 sgid=26 fsgid=26
type=KERNEL msg=audit(1110817035.085:12086834): avc:  denied  { append } for 
pid=5518 exe=/sbin/consoletype path=/var/lib/pgsql/pgstartup.log dev=hda5
ino=2553466 scontext=root:system_r:consoletype_t
tcontext=system_u:object_r:postgresql_log_t tclass=file
type=KERNEL msg=audit(1110817035.164:12087507): item=1 inode=4812237 dev=00:00
type=KERNEL msg=audit(1110817035.164:12087507): item=0 name=/bin/hostname
inode=2324302 dev=00:00
type=KERNEL msg=audit(1110817035.164:12087507): syscall=11 exit=0 a0=9b5ae40
a1=9b5bc98 a2=9b5e248 a3=0 items=2 pid=5526 loginuid=-1 uid=26 gid=26 euid=26
suid=26 fsuid=26 egid=26 sgid=26 fsgid=26
type=KERNEL msg=audit(1110817035.164:12087507): avc:  denied  { append } for 
pid=5526 exe=/bin/hostname path=/var/lib/pgsql/pgstartup.log dev=hda5
ino=2553466 scontext=root:system_r:hostname_t
tcontext=system_u:object_r:postgresql_log_t tclass=file
type=KERNEL msg=audit(1110817035.216:12088427): item=1 inode=4812237 dev=00:00
type=KERNEL msg=audit(1110817035.216:12088427): item=0 name=/sbin/consoletype
inode=4157480 dev=00:00
type=KERNEL msg=audit(1110817035.216:12088427): syscall=11 exit=0 a0=9b65970
a1=9b659e0 a2=9b5d888 a3=0 items=2 pid=5537 loginuid=-1 uid=26 gid=26 euid=26
suid=26 fsuid=26 egid=26 sgid=26 fsgid=26
type=KERNEL msg=audit(1110817035.216:12088427): avc:  denied  { append } for 
pid=5537 exe=/sbin/consoletype path=/var/lib/pgsql/pgstartup.log dev=hda5
ino=2553466 scontext=root:system_r:consoletype_t
tcontext=system_u:object_r:postgresql_log_t tclass=file

<ctrl>-d

allow consoletype_t postgresql_log_t:file append;
allow hostname_t postgresql_log_t:file append;

Being able to append logfiles seems fairly innocuous, so I then added the 2
above rules to /etc/selinux/targeted/src/policy/domains/jlaska.te
$ cd /etc/selinux/targeted/src/policy
$ make
$ make reload

# /etc/init.d/postgresql start
Starting postgresql service:                               [  OK  ]
Comment 1 Daniel Walsh 2005-03-24 16:51:46 EST
Latest policy no longer has hostname or consoletype.

selinux-policy-targeted-1.23.4-4 should fix this.
Comment 2 James Laska 2005-03-28 08:29:32 EST
Appears to be resolved ... tested against selinux-policy-targeted-1.23.5-1. 
Still observing random false FAILED message when starting postgres but there are
no auditlog messages and it appears to happen in enforcing and Permissive modes.
 Closing this defect as the reported problem no longer occurs.

Note You need to log in before you can comment on or make changes to this bug.