BUG #18462: Wrong SELinux types of the binary files

From: PG Bug reporting form <noreply(at)postgresql(dot)org>
To: pgsql-bugs(at)lists(dot)postgresql(dot)org
Cc: frank(dot)buettner(at)mdc-berlin(dot)de
Subject: BUG #18462: Wrong SELinux types of the binary files
Date: 2024-05-14 05:19:19
Message-ID: 18462-2cb22ff14775b8f0@postgresql.org
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-bugs

The following bug has been logged on the website:

Bug reference: 18462
Logged by: - -
Email address: frank(dot)buettner(at)mdc-berlin(dot)de
PostgreSQL version: 15.7
Operating system: Rocky 9
Description:

Some binary files occupied the wrong SELinux context. As a result, many
locally running processes cannot connect to the database via the socket.
If you install it from the RPM of PostgreSQL:
ps auxZ | grep postg
system_u:system_r:unconfined_service_t:s0 postgres 49108 0.0 0.3 212360
26368 ? Ss Mai12 0:25 /usr/pgsql-15/bin/postmaster -D
/var/lib/pgsql/15/data
system_u:system_r:unconfined_service_t:s0 postgres 49109 0.0 0.1 212488
9900 ? Ss Mai12 0:00 postgres: checkpointer
system_u:system_r:unconfined_service_t:s0 postgres 49110 0.0 0.0 212504
7724 ? Ss Mai12 0:01 postgres: background writer
system_u:system_r:unconfined_service_t:s0 postgres 49112 0.0 0.1 212360
10796 ? Ss Mai12 0:01 postgres: walwriter
system_u:system_r:unconfined_service_t:s0 postgres 49113 0.0 0.1 213960
10028 ? Ss Mai12 0:06 postgres: autovacuum launcher
system_u:system_r:unconfined_service_t:s0 postgres 49114 0.0 0.0 212464
7084 ? Ss Mai12 0:00 postgres: archiver last was
0000000100000000000000BF.00000028.backup
system_u:system_r:unconfined_service_t:s0 postgres 49115 0.0 0.1 213928
8748 ? Ss Mai12 0:00 postgres: logical replication launcher

Takes the packages directly from the OS (Fedora/RedHat/Rocky):
ps auxZ | grep postg
system_u:system_r:postgresql_t:s0 postgres 1297186 0.0 0.0 431924 28224 ?
Ss 06:59 0:00 /usr/bin/postmaster -D /var/lib/pgsql/data
system_u:system_r:postgresql_t:s0 postgres 1297187 0.0 0.0 285084 5096 ?
Ss 06:59 0:00 postgres: logger
system_u:system_r:postgresql_t:s0 postgres 1297188 0.0 0.0 432052 9188 ?
Ss 06:59 0:00 postgres: checkpointer
system_u:system_r:postgresql_t:s0 postgres 1297189 0.0 0.0 432064 6248 ?
Ss 06:59 0:00 postgres: background writer
system_u:system_r:postgresql_t:s0 postgres 1297191 0.0 0.0 431924 9704 ?
Ss 06:59 0:00 postgres: walwriter
system_u:system_r:postgresql_t:s0 postgres 1297192 0.0 0.0 433512 8312 ?
Ss 06:59 0:00 postgres: autovacuum launcher
system_u:system_r:postgresql_t:s0 postgres 1297193 0.0 0.0 433492 7112 ?
Ss 06:59 0:00 postgres: logical replication launcher

Here is the difference between the file contexts:
PGSQL RPM:
LANG=C ll -Z /usr/pgsql-15/bin/
total 12440
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 54288 May 8 14:00
clusterdb
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 58584 May 8 14:00
createdb
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 54560 May 8 14:00
createuser
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 53976 May 8 14:00
dropdb
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 49816 May 8 14:00
dropuser
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 109240 May 8 14:00
initdb
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 41056 May 8 14:00
pg_archivecleanup
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 122480 May 8 14:00
pg_basebackup
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 49824 May 8 14:00
pg_checksums
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 36848 May 8 14:00
pg_config
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 45224 May 8 14:00
pg_controldata
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 62512 May 8 14:00
pg_ctl
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 388368 May 8 14:00
pg_dump
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 92664 May 8 14:00
pg_dumpall
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 41288 May 8 14:00
pg_isready
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 79800 May 8 14:00
pg_receivewal
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 54000 May 8 14:00
pg_resetwal
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 152160 May 8 14:00
pg_restore
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 104648 May 8 14:00
pg_rewind
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 41304 May 8 14:00
pg_test_fsync
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 32808 May 8 14:00
pg_test_timing
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 146120 May 8 14:00
pg_upgrade
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 79496 May 8 14:00
pg_verifybackup
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 87832 May 8 14:00
pg_waldump
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 159016 May 8 14:00
pgbench
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 9606912 May 8 14:00
postgres
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 2167 May 8 14:00
postgresql-15-check-db-dir
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 9603 May 8 14:00
postgresql-15-setup
lrwxrwxrwx. 1 root root system_u:object_r:bin_t:s0 8 May 8 14:00
postmaster -> postgres
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 708984 May 8 14:00
psql
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 67000 May 8 14:00
reindexdb
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 67240 May 8 14:00
vacuumdb

OS RPM:
ll -Z /usr/bin/postgres
-rwxr-xr-x. 1 root root system_u:object_r:postgresql_exec_t:s0 9827024 27.
Feb 01:00 /usr/bin/postgres

This means that it is not possible for Postfix or Dovecot, for example, to
connect to the socket.
On RHEL/Fedora based systems, the SELinux contexts of the files from the
PostgreSQL Project RPM's must match those from the actual OS, otherwise
socket connections to many services will be blocked by SELinux.

This will hit all versions of PostgreSQL that comes from the project RPM's

Browse pgsql-bugs by date

  From Date Subject
Next Message Jan Wieck 2024-05-14 05:46:29 Re: numeric calculation bug as of 16.2-2
Previous Message Huw Rogers 2024-05-14 05:04:09 Re: numeric calculation bug as of 16.2-2