752285 – Cannot initialize postgresql when unconfined is removed

Bug 752285 - Cannot initialize postgresql when unconfined is removed

Summary: Cannot initialize postgresql when unconfined is removed

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.1
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-11-09 03:16 UTC by Josh
Modified:	2011-12-09 09:59 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-12-09 09:59:37 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Josh 2011-11-09 03:16:55 UTC

Description of problem:
postgresql server cannot be initialized when unconfined module is removed

Version-Release number of selected component (if applicable):
3.7.19-93.el6_1.7.noarch

How reproducible:
always

Steps to Reproduce:
1. semodule -d unconfined
2. run_init service postgresql initdb
3.
  
Actual results:
database partially initialized

Expected results:
databases fully initialized


Additional info:
----
time->Tue Nov  8 18:11:11 2011
type=PATH msg=audit(1320793871.557:29976): item=1 name="/var/lib/pgsql/data/pg_log" inode=3801731 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u
:object_r:postgresql_db_t:s0
type=PATH msg=audit(1320793871.557:29976): item=0 name="/var/lib/pgsql/data/" inode=3801142 dev=fd:00 mode=040700 ouid=26 ogid=26 rdev=00:00 obj=system_u:obj
ect_r:postgresql_db_t:s0
type=CWD msg=audit(1320793871.557:29976):  cwd="/"
type=SYSCALL msg=audit(1320793871.557:29976): arch=c000003e syscall=83 success=yes exit=0 a0=7fff8f12cf50 a1=1ff a2=7fff8f12cf50 a3=a items=2 ppid=3890 pid=3961 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=2 comm="mkdir" exe="/bin/mkdir" subj=system_u:system_r:initrc_t:s0 key=(null)
type=AVC msg=audit(1320793871.557:29976): avc:  denied  { create } for  pid=3961 comm="mkdir" name="pg_log" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:postgresql_db_t:s0 tclass=dir
----
time->Tue Nov  8 18:11:11 2011
type=PATH msg=audit(1320793871.559:29977): item=0 name="/var/lib/pgsql/data/pg_log" inode=3801731 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:postgresql_db_t:s0
type=CWD msg=audit(1320793871.559:29977):  cwd="/"
type=SYSCALL msg=audit(1320793871.559:29977): arch=c000003e syscall=260 success=yes exit=0 a0=ffffffffffffff9c a1=fc37e0 a2=1a a3=1a items=1 ppid=3890 pid=3962 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=2 comm="chown" exe="/bin/chown" subj=system_u:system_r:initrc_t:s0 key="perm_mod"
type=AVC msg=audit(1320793871.559:29977): avc:  denied  { setattr } for  pid=3962 comm="chown" name="pg_log" dev=dm-0 ino=3801731 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:postgresql_db_t:s0 tclass=dir

Comment 2 Miroslav Grepl 2011-11-09 09:05:19 UTC

You need to use the latest selinux-policy.

Comment 3 Daniel Walsh 2011-11-09 13:21:39 UTC

Fixed in selinux-policy-3.7.19-124.el6

Comment 4 Josh 2011-11-11 06:24:40 UTC

(In reply to comment #3)
> Fixed in selinux-policy-3.7.19-124.el6

confirmed

Note You need to log in before you can comment on or make changes to this bug.