FW: Adding Postgres Repository on Red Hat 9 causes SELinux Warnings "SELinux is preventing /usr/bin/gpg from using the dac_override capability" - Mailing list pgsql-admin

From Janet Einhorn
Subject FW: Adding Postgres Repository on Red Hat 9 causes SELinux Warnings "SELinux is preventing /usr/bin/gpg from using the dac_override capability"
Msg-id PSAPR01MB3928C1F15B20A9B9DE279CD5D0FD2@PSAPR01MB3928.apcprd01.prod.exchangelabs.com
Whole thread Raw
List pgsql-admin

Hello Postgres Admin Mailing Group People –


Our email admin says that we do not employ a “mail-back anti-spam system” and I hope that is true because I don’t want to cause you hassle.


I manage many VMs running Red Hat 9 at various levels from 9.2 through 9.5.  On many of these VMs, I have followed instructions on the Postgres “Linux downloads (Red Hat family)” page:  https://www.postgresql.org/download/linux/redhat/


More specifically, according to the instructions for Version 15, Platform RHEL-9, and architecture x86_64, I ran the following commands:

# Install the repository RPM:
sudo dnf install -y https://download.postgresql.org/pub/repos/yum/reporpms/EL-9-x86_64/pgdg-redhat-repo-latest.noarch.rpm
# Disable the built-in PostgreSQL module:
sudo dnf -qy module disable postgresql


I did not necessarily install any version of Postgres Server.  On some of these VMs, I installed only the Postgres-12 client:

# sudo dnf install postgresql12.x86_64


Installation of the Postgres Repository RPM causes the following file, shown here with the security context.  I noticed that the security context user is system_u, different from the security context user of the Red Hat repository:

$ sudo ls -lZ /etc/yum.repos.d

total 128

-rw-r--r--. 1 root root     system_u:object_r:system_conf_t:s0      13328 Apr 10  2024 pgdg-redhat-all.repo

-rw-------. 1 root root unconfined_u:object_r:system_conf_t:s0     111620 Jan 30 20:54 redhat.repo


I have noticed that as soon as I introduce the Postgres repository, large batches of SELinux warnings start showing up in /var/log/messages every 4 hours.  These messages show up in batches of 32 every 4 hours.  For example:

[local_jeinhorn@itsdev ~]$ sudo grep setroubleshoot /var/log/messages | egrep "Feb 11 07:28:" | tail -6


Feb 11 07:28:22 itsdev setroubleshoot[159834]: SELinux is preventing /usr/bin/gpg from using the dac_override capability. For complete SELinux messages run: sealert -l 78da067f-bff8-47fb-a13e-e5c398990ed4


Feb 11 07:28:22 itsdev setroubleshoot[159834]: SELinux is preventing /usr/bin/gpg from using the dac_override capability.#012#012*****  Plugin dac_override (91.4 confidence) suggests   **********************#012#012If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system#012Then turn on full auditing to get path information about the offending file and generate the error again.#012Do#012#012Turn on full auditing#012# auditctl -w /etc/shadow -p w#012Try to recreate AVC. Then execute#012# ausearch -m avc -ts recent#012If you see PATH record check ownership/permissions on file, and fix it,#012otherwise report as a bugzilla.#012#012*****  Plugin catchall (9.59 confidence) suggests   **************************#012#012If you believe that gpg should have the dac_override capability by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'gpg' --raw | audit2allow -M my-gpg#012# semodule -X 300 -i my-gpg.pp#012


Feb 11 07:28:22 itsdev setroubleshoot[159834]: SELinux is preventing /usr/bin/gpg from using the dac_override capability. For complete SELinux messages run: sealert -l 78da067f-bff8-47fb-a13e-e5c398990ed4


Feb 11 07:28:22 itsdev setroubleshoot[159834]: SELinux is preventing /usr/bin/gpg from using the dac_override capability.#012#012*****  Plugin dac_override (91.4 confidence) suggests   **********************#012#012If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system#012Then turn on full auditing to get path information about the offending file and generate the error again.#012Do#012#012Turn on full auditing#012# auditctl -w /etc/shadow -p w#012Try to recreate AVC. Then execute#012# ausearch -m avc -ts recent#012If you see PATH record check ownership/permissions on file, and fix it,#012otherwise report as a bugzilla.#012#012*****  Plugin catchall (9.59 confidence) suggests   **************************#012#012If you believe that gpg should have the dac_override capability by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'gpg' --raw | audit2allow -M my-gpg#012# semodule -X 300 -i my-gpg.pp#012


Feb 11 07:28:32 itsdev systemd[1]: setroubleshootd.service: Deactivated successfully.


Feb 11 07:28:32 itsdev systemd[1]: setroubleshootd.service: Consumed 1.016s CPU time.


All the gpgkey file entries in are the same:


[local_jeinhorn@useengatldevdb ~]$ sudo grep gpgkey /etc/yum.repos.d/pgdg-redhat-all.repo



. . . <SNIP LOTS OF THE SAME> . . .




The Postgres repository GPG key stored in /etc/pki/rpm-gpg/PGDG-RPM-GPG-KEY-RHEL has already been imported into RPM:


[local_jeinhorn@useengatldevdb ~]$ sudo tail -5 /etc/pki/rpm-gpg/PGDG-RPM-GPG-KEY-RHEL






[local_jeinhorn@useengatldevdb ~]$ sudo rpm -qa gpg*






[local_jeinhorn@useengatldevdb ~]$ sudo rpm -qi gpg-pubkey-08b40d20-6581afc1

Name        : gpg-pubkey

Version     : 08b40d20

Release     : 6581afc1

Architecture: (none)

Install Date: Thu 29 Feb 2024 04:08:50 PM EST

Group       : Public Keys

Size        : 0

License     : pubkey

Signature   : (none)

Source RPM  : (none)

Build Date  : Tue 19 Dec 2023 09:59:13 AM EST

Build Host  : localhost

Packager    : PostgreSQL RPM Repository <pgsql-pkg-yum@lists.postgresql.org>

Summary     : PostgreSQL RPM Repository <pgsql-pkg-yum@lists.postgresql.org> public key

Description :


Version: rpm- (NSS-3)




. . . <SNIP> . . .







The only way I was able to stop these messages was to update /etc/dnf/dnf.conf and /etc/yum.repos.d/pgdg-redhat-all.repo and disable the gpg checking in all instances  (change gpgcheck from 1 to 0 and change repo_gpgcheck from 1 to 0).


I’m sure this is not the optimal way to avoid /var/log/messages getting spammed with setroubleshoot entries, but I don’t know what needs to be done!  I am amazed this issue has not been reported by others.


Do you have advice on what I need to do, to stop the SELinux messages from getting logged into /var/log/messages?


Many Thanks,

Janet Einhorn

System Administrator

KNS FTW I.T. Infrastructure Team



This email is non-binding, is subject to contract, and neither Kulicke and Soffa Industries, Inc. nor its subsidiaries (each and collectively “K&S”) shall have any obligation to you to consummate the transactions herein or to enter into any agreement, other than in accordance with the terms and conditions of a definitive agreement if and when negotiated, finalized and executed between the parties. This email and all its contents are protected by International and United States copyright laws. Any reproduction or use of all or any part of this email without the express written consent of K&S is prohibited.

pgsql-admin by date:

From: Erik Serrano
Subject: Re: Errors of a Postgresql replication with PowerBi
From: Sbob
Subject: Security definer function to alter a sequence