John DeSoi <desoi@pgedit.com> writes:
> Foiled again by SELinux permissions:
> type=AVC msg=audit(1367932037.676:10325): avc: denied { search } for pid=2567 comm="rsync" name="pgsql" dev=dm-0
ino=664822scontext=unconfined_u:system_r:rsync_t:s0 tcontext=system_u:object_r:postgresql_db_t:s0 tclass=dir
> type=SYSCALL msg=audit(1367932037.676:10325): arch=c000003e syscall=2 success=no exit=-13 a0=1ebd330 a1=0 a2=e a3=4
items=0ppid=2433 pid=2567 auid=0 uid=26 gid=26 euid=26 suid=26 fsuid=26 egid=26 sgid=26 fsgid=26 tty=(none) ses=57
comm="rsync"exe="/usr/bin/rsync" subj=unconfined_u:system_r:rsync_t:s0 key=(null)
> type=AVC msg=audit(1367932037.677:10326): avc: denied { execute } for pid=2568 comm="rsync" name="ssh" dev=dm-0
ino=266187scontext=unconfined_u:system_r:rsync_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file
> type=SYSCALL msg=audit(1367932037.677:10326): arch=c000003e syscall=59 success=no exit=-13 a0=7fff1686fa27
a1=7fff1686fb60a2=7fff16872d38 a3=7fff1686f860 items=0 ppid=2567 pid=2568 auid=0 uid=26 gid=26 euid=26 suid=26 fsuid=26
egid=26sgid=26 fsgid=26 tty=(none) ses=57 comm="rsync" exe="/usr/bin/rsync" subj=unconfined_u:system_r:rsync_t:s0
key=(null)
> I found there is a boolean for postgres and rsync and tried
> setsebool -P postgresql_can_rsync 1
> but replication still failed to work. There must be more required related to ssh and/or rsync. Anyone solved this
(withoutjust disabling SELinux)?
Short term: use audit2allow to generate custom policy tweaks that
allow these specific operations.
Longer term: file a bug in Red Hat's bugzilla against
selinux-policy-targeted. That boolean should allow this, one would
think, or else there should be another one that does.
regards, tom lane
