public inbox for [email protected]
help / color / mirror / Atom feedFrom: Jeff - <[email protected]>
To: Tom Lane <[email protected]>
Cc: [email protected]
Subject: Re: SELinux & Redhat
Date: Fri, 6 May 2005 11:46:26 -0400
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>
<[email protected]>
On May 6, 2005, at 11:23 AM, Tom Lane wrote:
> Jeff - <[email protected]> writes:
>
>> Eventually we found it was SELinux was preventing pg_dump from
>> producing output.
>>
>
> That's a new one on me. Why was it doing that --- mislabeling on
> the pg_dump executable, or what?
>
We've got a stock CentOS 4 install
I nabbed the rpms I mentioned (8.0.2) (-rw-r--r-- 1 root root
2955126 May 4 11:51 postgresql-8.0.2-1PGDG.i686.rpm & company)
from /etc/selinux/targeted/contexts/files/file_contexts I see
file_contexts:/usr/bin/pg_dump --
system_u:object_r:postgresql_exec_t
file_contexts:/usr/bin/pg_dumpall --
system_u:object_r:postgresql_exec_t
Syslog logs:
May 6 09:01:25 starslice kernel: audit(1115384485.559:0): avc:
denied { execute_no_trans } for pid=4485 exe=/bin/bash path=/usr/
bin/pg_dump dev=sda3 ino=5272966
scontext=user_u:system_r:postgresql_t
tcontext=system_u:object_r:postgresql_exec_t tclass=file
SELinux is on and under system-config-securitylevel's selinux tab,
"SELinux Protection services" disable postgresql is not clicked.
When I run pg_dump w/these settings the following happens running
pg_dump (.broken is hte original file from the rpm)
bash-3.00$ /usr/bin/pg_dump.broken planet
bash-3.00$
Stracing it I get
....
write(1, "file_pkey; Type: CONSTRAINT; Sch"..., 4096) = 4096
write(1, "\n-- Name: userprofile_pkey; Type"..., 4096) = 4096
write(1, "_idx_1 OWNER TO planet;\n\n--\n-- N"..., 4096) = 4096
rt_sigaction(SIGPIPE, {SIG_IGN}, {SIG_DFL}, 8) = 0
send(3, "X\0\0\0\4", 5, 0) = 5
rt_sigaction(SIGPIPE, {SIG_DFL}, {SIG_IGN}, 8) = 0
close(3) = 0
write(1, "me: top3_cmtcount_idx; Type: IND"..., 3992) = 3992
munmap(0xb7df0000, 4096) = 0
exit_group(0) = ?
and what is interesting is it seems only sometimes things get logged
to syslog about the failure.
If I copy the file (not mv) it will work (possibly due to xattrs
being set?)
and if I disable pg checking, (or selinux all together) it works.
COOL, HUH?
--
Jeff Trout <[email protected]>
http://www.jefftrout.com/
http://www.stuarthamm.net/
view thread (24+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected]
Subject: Re: SELinux & Redhat
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox