Re: replication breaks with CentOS 6.4 upgrade

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: John DeSoi <desoi(at)pgedit(dot)com>
Cc: "pgsql-general(at)postgresql(dot)org general" <pgsql-general(at)postgresql(dot)org>
Subject: Re: replication breaks with CentOS 6.4 upgrade
Date: 2013-05-07 16:19:35
Message-ID: 27871.1367943575@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

John DeSoi <desoi(at)pgedit(dot)com> writes:
> Foiled again by SELinux permissions:

> type=AVC msg=audit(1367932037.676:10325): avc: denied { search } for pid=2567 comm="rsync" name="pgsql" dev=dm-0 ino=664822 scontext=unconfined_u:system_r:rsync_t:s0 tcontext=system_u:object_r:postgresql_db_t:s0 tclass=dir
> type=SYSCALL msg=audit(1367932037.676:10325): arch=c000003e syscall=2 success=no exit=-13 a0=1ebd330 a1=0 a2=e a3=4 items=0 ppid=2433 pid=2567 auid=0 uid=26 gid=26 euid=26 suid=26 fsuid=26 egid=26 sgid=26 fsgid=26 tty=(none) ses=57 comm="rsync" exe="/usr/bin/rsync" subj=unconfined_u:system_r:rsync_t:s0 key=(null)
> type=AVC msg=audit(1367932037.677:10326): avc: denied { execute } for pid=2568 comm="rsync" name="ssh" dev=dm-0 ino=266187 scontext=unconfined_u:system_r:rsync_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file
> type=SYSCALL msg=audit(1367932037.677:10326): arch=c000003e syscall=59 success=no exit=-13 a0=7fff1686fa27 a1=7fff1686fb60 a2=7fff16872d38 a3=7fff1686f860 items=0 ppid=2567 pid=2568 auid=0 uid=26 gid=26 euid=26 suid=26 fsuid=26 egid=26 sgid=26 fsgid=26 tty=(none) ses=57 comm="rsync" exe="/usr/bin/rsync" subj=unconfined_u:system_r:rsync_t:s0 key=(null)

> I found there is a boolean for postgres and rsync and tried
> setsebool -P postgresql_can_rsync 1
> but replication still failed to work. There must be more required related to ssh and/or rsync. Anyone solved this (without just disabling SELinux)?

Short term: use audit2allow to generate custom policy tweaks that
allow these specific operations.

Longer term: file a bug in Red Hat's bugzilla against
selinux-policy-targeted. That boolean should allow this, one would
think, or else there should be another one that does.

regards, tom lane

In response to

Browse pgsql-general by date

  From Date Subject
Next Message Sahagian, David 2013-05-07 21:03:16 help with log entries during restart
Previous Message John DeSoi 2013-05-07 14:58:44 replication breaks with CentOS 6.4 upgrade