This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 976923 - SELinux is preventing /usr/bin/postgres from read, write access on the file /tmp/ffiv8kkIb (deleted).
SELinux is preventing /usr/bin/postgres from read, write access on the file /...
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
18
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
abrt_hash:d212f26afdde1992a8b4b19a9c6...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-06-21 18:06 EDT by Brian J. Murrell
Modified: 2013-06-24 06:22 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-06-24 06:22:53 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Brian J. Murrell 2013-06-21 18:06:17 EDT
Description of problem:
SELinux is preventing /usr/bin/postgres from read, write access on the file /tmp/ffiv8kkIb (deleted).

*****  Plugin file (35.2 confidence) suggests  *******************************

If you think this is caused by a badly mislabeled machine.
Then you need to fully relabel.
Do
touch /.autorelabel; reboot

*****  Plugin file (35.2 confidence) suggests  *******************************

If you think this is caused by a badly mislabeled machine.
Then you need to fully relabel.
Do
touch /.autorelabel; reboot

*****  Plugin leaks (26.5 confidence) suggests  ******************************

If you want to ignore postgres trying to read write access the ffiv8kkIb (deleted) file, because you believe it should not need this access.
Then you should report this as a bug.  
You can generate a local policy module to dontaudit this access.
Do
# grep /usr/bin/postgres /var/log/audit/audit.log | audit2allow -D -M mypol
# semodule -i mypol.pp

*****  Plugin catchall (4.84 confidence) suggests  ***************************

If you believe that postgres should be allowed read write access on the ffiv8kkIb (deleted) file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep postmaster /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:system_r:postgresql_t:s0
Target Context                unconfined_u:object_r:file_t:s0
Target Objects                /tmp/ffiv8kkIb (deleted) [ file ]
Source                        postmaster
Source Path                   /usr/bin/postgres
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.11.1-82.fc18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.8.1-201.fc18.x86_64 #1 SMP Thu
                              Feb 28 19:23:08 UTC 2013 x86_64 x86_64
Alert Count                   4
First Seen                    2013-03-07 22:08:37 EST
Last Seen                     2013-03-08 07:04:54 EST
Local ID                      6bf2aab6-2e45-4c77-882d-266e4809ca51

Raw Audit Messages
type=AVC msg=audit(1362744294.180:2621): avc:  denied  { read write } for  pid=3423 comm="initdb" path=2F746D702F66666976386B6B4962202864656C6574656429 dev="dm-6" ino=2634 scontext=unconfined_u:system_r:postgresql_t:s0 tcontext=unconfined_u:object_r:file_t:s0 tclass=file


type=SYSCALL msg=audit(1362744294.180:2621): arch=x86_64 syscall=execve success=yes exit=0 a0=1521ea0 a1=151e4b0 a2=152ccb0 a3=7fff0bae05a0 items=0 ppid=3422 pid=3423 auid=1001 uid=26 gid=26 euid=26 suid=26 fsuid=26 egid=26 sgid=26 fsgid=26 ses=12 tty=(none) comm=initdb exe=/usr/bin/initdb subj=unconfined_u:system_r:postgresql_t:s0 key=(null)

Hash: postmaster,postgresql_t,file_t,file,read,write

audit2allow

#============= postgresql_t ==============
allow postgresql_t file_t:file { read write };

audit2allow -R
require {
	type postgresql_t;
}

#============= postgresql_t ==============
files_rw_inherited_isid_type_files(postgresql_t)


Additional info:
reporter:       libreport-2.1.4
hashmarkername: setroubleshoot
kernel:         3.9.2-200.fc18.x86_64
type:           libreport
Comment 1 Daniel Walsh 2013-06-22 06:32:08 EDT
Did postgresql work fine?  This is a leaked file descriptor to a file without  a label.  Did you add a new disk to the system with out SELinux labels on it?
Comment 2 Brian J. Murrell 2013-06-22 10:02:07 EDT
TBH, I don't even use postgresql on this machine any more.  I could/should just remove it.  So that said, it's completely dormant and yet this issue came up.  And no, no new disks have been added to this machine.

Seems very much like a bug that there would be an SELinux violation on a dormant piece of software.
Comment 3 Daniel Walsh 2013-06-23 06:42:00 EDT
Ok probably an update to the package which caused initdb to run, but I have no idea why file_t would exist on your machine.
Comment 4 Miroslav Grepl 2013-06-24 06:22:53 EDT
Please reopen the bug it this happens again. Thank you.

Note You need to log in before you can comment on or make changes to this bug.