Bug 1889640 - SELinux is preventing postmaster from 'remove_name' accesses on the directory db_0.tmp. [NEEDINFO]
Summary: SELinux is preventing postmaster from 'remove_name' accesses on the directory...
Keywords:
Status: NEW
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: x86_64
OS: Unspecified
low
low
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:1b17150b48b368bcc93d219b732...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-10-20 09:19 UTC by Mikhail
Modified: 2020-10-20 10:06 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: ---
zpytela: needinfo? (mikhail.v.gavrilov)


Attachments (Terms of Use)

Description Mikhail 2020-10-20 09:19:09 UTC
Description of problem:
SELinux is preventing postmaster from 'remove_name' accesses on the directory db_0.tmp.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that postmaster should be allowed remove_name access on the db_0.tmp directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'postmaster' --raw | audit2allow -M my-postmaster
# semodule -X 300 -i my-postmaster.pp

Additional Information:
Source Context                system_u:system_r:postgresql_t:s0
Target Context                unconfined_u:object_r:user_home_t:s0
Target Objects                db_0.tmp [ dir ]
Source                        postmaster
Source Path                   postmaster
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-3.14.7-5.fc34.noarch
Local Policy RPM              selinux-policy-targeted-3.14.7-5.fc34.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 5.10.0-0.rc0.20201014gitb5fc7a89e5
                              8b.42.fc34.x86_64 #1 SMP Fri Oct 16 18:24:40 +05
                              2020 x86_64 x86_64
Alert Count                   12
First Seen                    2020-10-20 14:11:29 +05
Last Seen                     2020-10-20 14:17:27 +05
Local ID                      d666c7c1-4a19-4a12-9be7-c60f6e9c462a

Raw Audit Messages
type=AVC msg=audit(1603185447.806:1801): avc:  denied  { remove_name } for  pid=112490 comm="postmaster" name="db_0.tmp" dev="sda" ino=143139694 scontext=system_u:system_r:postgresql_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir permissive=1


Hash: postmaster,postgresql_t,user_home_t,dir,remove_name

Version-Release number of selected component:
selinux-policy-targeted-3.14.7-5.fc34.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.14.0
hashmarkername: setroubleshoot
kernel:         5.10.0-0.rc0.20201014gitb5fc7a89e58b.42.fc34.x86_64
type:           libreport

Comment 1 Zdenek Pytela 2020-10-20 10:06:36 UTC
Mikhail,

Can you locate the file path? What exactly were the steps triggering this AVC denial?


Note You need to log in before you can comment on or make changes to this bug.