Description of problem: The postgresql regression tests include some .so files that need to be dynamically loaded by the postgresql server. This worked last time I checked it in Fedora, but I find that selinux prevents it in RHEL5.5. I get ERROR: could not load library "/usr/lib64/pgsql/test/regress/regress.so": /usr/lib64/pgsql/test/regress/regress.so: failed to map segment from shared object: Permission denied although curiously there is nothing in /var/log/messages about it Version-Release number of selected component (if applicable): selinux-policy-2.4.6-267.el5 How reproducible: 100% Steps to Reproduce: 1. Install postgresql-test (and therefore also postgresql-server etc) 2. service postgresql start 3. su postgres 4. cd /usr/lib(64)/pgsql/test/regress 5. make check Actual results: several tests fail; all of the errors trace to being unable to load several .so files that are installed in the regress directory. Expected results: regression tests should all pass Additional info: ls -Z shows the .so's are labeled postgresql_db_t which is probably the wrong thing. On my F-11 box they show up as lib_t.
Miroslav, looks like we need /var/lib(64)?/pgsql/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0) /var/lib(64)?/pgsql/test/regress/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0)
/usr, please, not /var Also, now that I'm looking at this, we should also allow loading libraries from /usr/lib(64)?/pgsql/plugins/.*\.so.* which is a subdirectory that's allowed in recent PG releases.
I guess I should not be doing this late night in a ski lodge. Sorry Tom.
Fixed in selinux-policy-2.4.6-268.el5
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2010-0182.html