Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1920529 - postgresql starting in wrong domain initrc_t
Summary: postgresql starting in wrong domain initrc_t
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: SELinux
Version: 6.8.0
Hardware: x86_64
OS: Linux
medium
high
Target Milestone: Unspecified
Assignee: Lukas Zapletal
QA Contact: Satellite QE Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-01-26 13:44 UTC by Jan Jansky
Modified: 2024-10-01 17:23 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-08-10 13:06:07 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 5737041 0 None None None 2021-01-26 15:42:28 UTC

Description Jan Jansky 2021-01-26 13:44:26 UTC 
Description of problem: After upgrade to Satellite 6.8 postgresql starting in wrong domain initrc_t, which ends in selinux denials as below.

type=AVC msg=audit(1611603322.116:2772): avc:  denied  { connectto } for  pid=4588 comm="sidekiq" path="/run/postgresql/.s.PGSQL.5432" scontext=system_u:system_r:foreman_rails_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket permissive=0


How reproducible:
I was not able to reproduce, not sure what is causing wrong domain.

Actual results:

type=AVC msg=audit(1611603322.116:2772): avc:  denied  { connectto } for  pid=4588 comm="sidekiq" path="/run/postgresql/.s.PGSQL.5432" scontext=system_u:system_r:foreman_rails_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket permissive=0


Expected results:

Correct domain used (system_u:system_r:postgresql_t:s0)

No error or denial.


Additional info:

# hammer ping
500 Internal Server Error

Jan 01 00:00:00 hostname dynflow-sidekiq@worker-hosts-queue: could not connect to server: Permission denied
Jan 01 00:00:00 hostname dynflow-sidekiq@worker-hosts-queue: Is the server running locally and accepting
Jan 01 00:00:00 hostname dynflow-sidekiq@worker-hosts-queue: connections on Unix domain socket "/var/run/postgresql/.s.PGSQL.5432"?

# sesearch -s init_t --type -c process | grep postgres
   type_transition init_t postgresql_exec_t : process postgresql_t; 
   type_transition init_t postgresql_initrc_exec_t : process initrc_t;

# ls -alZ /usr/bin | grep postgres
-rwxr-xr-x. root root    system_u:object_r:postgresql_exec_t:s0 postgres
Comment 4 isinghal 2022-05-16 09:25:15 UTC 
Hello Team.
We seem to facing the same issue since last week while installing sat 6.11.0. We have tried the solution above but it does not sem to work for us. Could you please help out with what we are missing?
cc @jhutar
Comment 10 Lukas Zapletal 2022-06-09 11:30:55 UTC 
Good research, I saw this reported years ago and we could not figure it out. You are on the right track I think, the alias (mapping) is key here. This actually makes "restorecon" to set those contexts, that is the tool which is typically run in postinstall script for each package.

I do not remember what creates the alias tho, can you list RPM files containing "selinux" on both systems? I expect one named "postgresql-selinux". If not, it should be in the base policy.
Comment 11 Lukas Zapletal 2022-06-09 11:34:50 UTC 
This is where the policy lives (Rawhide, we do have CentOS 8 Stream branch somewhere):

https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules/services/postgresql.te
https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules/services/postgresql.if
https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules/services/postgresql.fc

It must be defined somewhere in an "SCL" package (post scriplet?) I'd ask SELinux guys.
Comment 12 Adam Ruzicka 2022-06-09 11:51:22 UTC 
I think we have a winner here

# rpm -q --scripts rh-postgresql12-runtime-3.4-1.el7.x86_64
postinstall scriptlet (using /bin/sh):
# Simple copy of context from system root to SCL root.
# In case new version needs some additional rules or context definition,
# it needs to be solved in base system.
# semanage does not have -e option in RHEL-5, so we would
# have to have its own policy for collection.
semanage fcontext -a -e / /opt/rh/rh-postgresql12/root >/dev/null 2>&1 || :
semanage fcontext -a -e /etc /etc/opt/rh/rh-postgresql12 >/dev/null 2>&1 || :
semanage fcontext -a -e /var /var/opt/rh/rh-postgresql12 >/dev/null 2>&1 || :

selinuxenabled && load_policy || :
restorecon -R /opt/rh/rh-postgresql12/root >/dev/null 2>&1 || :
restorecon -R /etc/opt/rh/rh-postgresql12 >/dev/null 2>&1 || :
restorecon -R /var/opt/rh/rh-postgresql12 >/dev/null 2>&1 || :

On my machine, the system was fully up-to-date before installing Satellite, on the reproducer machine it was not. During the same yum transaction where rh-postgresql12-runtime was installed, there was also an update to selinux-policy and selinux-policy-targeted. Not saying this is the cause, but it might play some role in this as well as the postinstall which should set up the contexts apparently failed silently.

@Jan: Are you able to hit this reliably? If so, could you try fully upgrading the machine before installing satellite?
Comment 13 Lukas Zapletal 2022-06-10 05:22:37 UTC 
If this is the case, the solution for these bugs (postscriplet vs base policy order) can be typically solved by requiring specific selinux-policy version from our foreman-selinux package. We already have such a requirement in our package to workaround other bug so we just need to bump the version:

https://github.com/theforeman/foreman-packaging/blob/rpm/develop/packages/foreman/foreman-selinux/foreman-selinux.spec#L21

It looks like the current version of the SPEC actually requires the version it was installed in the buildroot which is perhaps a good default value but we need to bump this to the required version. Or simply make sure that such version is in the buildroot, this can be done by creating ticket for satellite release engineering.
Comment 14 isinghal 2022-06-11 15:48:50 UTC 
Yes, fully upgrading machine before installing satellite solves the issue. Thank you!
Comment 16 Jan Jansky 2022-06-13 07:26:49 UTC 
@Adam: as i wrote during case opening in January 2021 i was not able to reproduce, it was strictly issue on customer's side, so no i am not able to hit this reliability and no i cannot upgrade the machine before installing Satellite because i do not have reproducer, also cannot ask the customer as cases which hit this are closed for very long time now.
Comment 24 Brad Buckingham 2023-07-21 21:06:39 UTC 
Upon review of our valid but aging backlog the Satellite Team has concluded that this Bugzilla does not meet the criteria for a resolution in the near term, and are planning to close in a month. This message may be a repeat of a previous update and the bug is again being considered to be closed. If you have any concerns about this, please contact your Red Hat Account team.  Thank you.
Comment 25 Ewoud Kohl van Wijngaarden 2023-08-10 13:06:07 UTC 
Since this is all SCL related and that implies RHEL7, I'm going to close this as CURRENTRELEASE. It shouldn't affect RHEL8. Our docs also suggest to run yum/dnf update prior to installation which should also resolve the issue.
Note You need to log in before you can comment on or make changes to this bug.