From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
---|---|
To: | John DeSoi <desoi(at)pgedit(dot)com> |
Cc: | "pgsql-general(at)postgresql(dot)org general" <pgsql-general(at)postgresql(dot)org> |
Subject: | Re: replication breaks with CentOS 6.4 upgrade |
Date: | 2013-05-07 16:19:35 |
Message-ID: | 27871.1367943575@sss.pgh.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
John DeSoi <desoi(at)pgedit(dot)com> writes:
> Foiled again by SELinux permissions:
> type=AVC msg=audit(1367932037.676:10325): avc: denied { search } for pid=2567 comm="rsync" name="pgsql" dev=dm-0 ino=664822 scontext=unconfined_u:system_r:rsync_t:s0 tcontext=system_u:object_r:postgresql_db_t:s0 tclass=dir
> type=SYSCALL msg=audit(1367932037.676:10325): arch=c000003e syscall=2 success=no exit=-13 a0=1ebd330 a1=0 a2=e a3=4 items=0 ppid=2433 pid=2567 auid=0 uid=26 gid=26 euid=26 suid=26 fsuid=26 egid=26 sgid=26 fsgid=26 tty=(none) ses=57 comm="rsync" exe="/usr/bin/rsync" subj=unconfined_u:system_r:rsync_t:s0 key=(null)
> type=AVC msg=audit(1367932037.677:10326): avc: denied { execute } for pid=2568 comm="rsync" name="ssh" dev=dm-0 ino=266187 scontext=unconfined_u:system_r:rsync_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file
> type=SYSCALL msg=audit(1367932037.677:10326): arch=c000003e syscall=59 success=no exit=-13 a0=7fff1686fa27 a1=7fff1686fb60 a2=7fff16872d38 a3=7fff1686f860 items=0 ppid=2567 pid=2568 auid=0 uid=26 gid=26 euid=26 suid=26 fsuid=26 egid=26 sgid=26 fsgid=26 tty=(none) ses=57 comm="rsync" exe="/usr/bin/rsync" subj=unconfined_u:system_r:rsync_t:s0 key=(null)
> I found there is a boolean for postgres and rsync and tried
> setsebool -P postgresql_can_rsync 1
> but replication still failed to work. There must be more required related to ssh and/or rsync. Anyone solved this (without just disabling SELinux)?
Short term: use audit2allow to generate custom policy tweaks that
allow these specific operations.
Longer term: file a bug in Red Hat's bugzilla against
selinux-policy-targeted. That boolean should allow this, one would
think, or else there should be another one that does.
regards, tom lane
From | Date | Subject | |
---|---|---|---|
Next Message | Sahagian, David | 2013-05-07 21:03:16 | help with log entries during restart |
Previous Message | John DeSoi | 2013-05-07 14:58:44 | replication breaks with CentOS 6.4 upgrade |