X-Original-To: pgsql-docs-postgresql.org@localhost.postgresql.org Received: from localhost (unknown [200.46.204.144]) by svr1.postgresql.org (Postfix) with ESMTP id 2225D5323F for ; Fri, 6 May 2005 12:47:05 -0300 (ADT) Received: from svr1.postgresql.org ([200.46.204.71]) by localhost (av.hub.org [200.46.204.144]) (amavisd-new, port 10024) with ESMTP id 30847-09 for ; Fri, 6 May 2005 15:46:58 +0000 (GMT) Received: from rwcrmhc14.comcast.net (rwcrmhc14.comcast.net [216.148.227.89]) by svr1.postgresql.org (Postfix) with ESMTP id 06FA85349B for ; Fri, 6 May 2005 12:46:57 -0300 (ADT) Received: from jefftrout.com ([24.61.201.181]) by comcast.net (rwcrmhc14) with SMTP id <200505061546550140086o9de>; Fri, 6 May 2005 15:46:56 +0000 Received: (qmail 87445 invoked from network); 6 May 2005 15:49:03 -0000 Received: from waltham-nat.ma.lycos.com (HELO ?10.124.7.97?) (209.202.205.1) by 192.168.0.109 with SMTP; 6 May 2005 15:49:03 -0000 In-Reply-To: <14695.1115393034@sss.pgh.pa.us> References: <14695.1115393034@sss.pgh.pa.us> Mime-Version: 1.0 (Apple Message framework v728) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <6CD32D5F-B466-4E6D-9E73-CFB8957B396F@torgo.978.org> Cc: pgsql-docs@postgresql.org Content-Transfer-Encoding: 7bit From: Jeff - Subject: Re: SELinux & Redhat Date: Fri, 6 May 2005 11:46:26 -0400 To: Tom Lane X-Mailer: Apple Mail (2.728) X-Virus-Scanned: by amavisd-new at hub.org X-Spam-Status: No, hits=0.177 tagged_above=0 required=5 tests=AWL, RCVD_BY_IP, RCVD_IN_SORBS_DUL X-Spam-Level: X-Archive-Number: 200505/10 X-Sequence-Number: 2975 On May 6, 2005, at 11:23 AM, Tom Lane wrote: > Jeff - writes: > >> Eventually we found it was SELinux was preventing pg_dump from >> producing output. >> > > That's a new one on me. Why was it doing that --- mislabeling on > the pg_dump executable, or what? > We've got a stock CentOS 4 install I nabbed the rpms I mentioned (8.0.2) (-rw-r--r-- 1 root root 2955126 May 4 11:51 postgresql-8.0.2-1PGDG.i686.rpm & company) from /etc/selinux/targeted/contexts/files/file_contexts I see file_contexts:/usr/bin/pg_dump -- system_u:object_r:postgresql_exec_t file_contexts:/usr/bin/pg_dumpall -- system_u:object_r:postgresql_exec_t Syslog logs: May 6 09:01:25 starslice kernel: audit(1115384485.559:0): avc: denied { execute_no_trans } for pid=4485 exe=/bin/bash path=/usr/ bin/pg_dump dev=sda3 ino=5272966 scontext=user_u:system_r:postgresql_t tcontext=system_u:object_r:postgresql_exec_t tclass=file SELinux is on and under system-config-securitylevel's selinux tab, "SELinux Protection services" disable postgresql is not clicked. When I run pg_dump w/these settings the following happens running pg_dump (.broken is hte original file from the rpm) bash-3.00$ /usr/bin/pg_dump.broken planet bash-3.00$ Stracing it I get .... write(1, "file_pkey; Type: CONSTRAINT; Sch"..., 4096) = 4096 write(1, "\n-- Name: userprofile_pkey; Type"..., 4096) = 4096 write(1, "_idx_1 OWNER TO planet;\n\n--\n-- N"..., 4096) = 4096 rt_sigaction(SIGPIPE, {SIG_IGN}, {SIG_DFL}, 8) = 0 send(3, "X\0\0\0\4", 5, 0) = 5 rt_sigaction(SIGPIPE, {SIG_DFL}, {SIG_IGN}, 8) = 0 close(3) = 0 write(1, "me: top3_cmtcount_idx; Type: IND"..., 3992) = 3992 munmap(0xb7df0000, 4096) = 0 exit_group(0) = ? and what is interesting is it seems only sometimes things get logged to syslog about the failure. If I copy the file (not mv) it will work (possibly due to xattrs being set?) and if I disable pg checking, (or selinux all together) it works. COOL, HUH? -- Jeff Trout http://www.jefftrout.com/ http://www.stuarthamm.net/