Thread: SELinux & Redhat

SELinux & Redhat

From
Jeff -
Date:
I think we should put some notes about SELinux causing issues with
pgsql in the OS notes or FAQ.

Myself and a few coworkers just spent a few hours tracking down why
pg_dump would produce no output.  We'd fire it up in strace and we'd
see all the successful write calls, but not output.

We copied pg_dump from another machine and it worked fine, and that
machine was running the same OS & pg rpms.

Eventually we found it was SELinux was preventing pg_dump from
producing output.

Any thoughts?  I could write up a short blurb but I'm not terribly
familiar with selinux. we just disabled the whole thing to make it work.

For the record:
CentOS 4.0
postgresql-8.0.2-1PGDG.i686.rpm (and associated) rpms from
postgresql.org's ftp server

--
Jeff Trout <jeff@jefftrout.com>
http://www.jefftrout.com/
http://www.stuarthamm.net/





Re: SELinux & Redhat

From
Bruce Momjian
Date:
Jeff - wrote:
> I think we should put some notes about SELinux causing issues with
> pgsql in the OS notes or FAQ.
>
> Myself and a few coworkers just spent a few hours tracking down why
> pg_dump would produce no output.  We'd fire it up in strace and we'd
> see all the successful write calls, but not output.
>
> We copied pg_dump from another machine and it worked fine, and that
> machine was running the same OS & pg rpms.
>
> Eventually we found it was SELinux was preventing pg_dump from
> producing output.
>
> Any thoughts?  I could write up a short blurb but I'm not terribly
> familiar with selinux. we just disabled the whole thing to make it work.
>
> For the record:
> CentOS 4.0
> postgresql-8.0.2-1PGDG.i686.rpm (and associated) rpms from
> postgresql.org's ftp server

A blurb about what?  No one else has reported such a problem so we have
no reason to assume it isn't a misconfiguration on your end.

--
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman@candle.pha.pa.us               |  (610) 359-1001
  +  If your life is a hard drive,     |  13 Roberts Road
  +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073

Re: SELinux & Redhat

From
Peter Eisentraut
Date:
Am Freitag, 6. Mai 2005 16:55 schrieb Bruce Momjian:
> A blurb about what?  No one else has reported such a problem so we have
> no reason to assume it isn't a misconfiguration on your end.

*Countless* people are constantly reporting problems that can be attributed to
selinux.  We really need to write something about it.  Of course, most
people, including myself, just solve these issues by turning off selinux, but
I'd be interested in a more thorough treatment.

--
Peter Eisentraut
http://developer.postgresql.org/~petere/

Re: SELinux & Redhat

From
Bruce Momjian
Date:
Peter Eisentraut wrote:
> Am Freitag, 6. Mai 2005 16:55 schrieb Bruce Momjian:
> > A blurb about what?  No one else has reported such a problem so we have
> > no reason to assume it isn't a misconfiguration on your end.
>
> *Countless* people are constantly reporting problems that can be attributed to
> selinux.  We really need to write something about it.  Of course, most
> people, including myself, just solve these issues by turning off selinux, but
> I'd be interested in a more thorough treatment.

Who makes SE Linux?  Is it SuSE?  What would we say in an FAQ?  I would
rather report something to people using that OS.

--
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman@candle.pha.pa.us               |  (610) 359-1001
  +  If your life is a hard drive,     |  13 Roberts Road
  +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073

Re: SELinux & Redhat

From
Tom Lane
Date:
Jeff - <threshar@torgo.978.org> writes:
> Eventually we found it was SELinux was preventing pg_dump from
> producing output.

That's a new one on me.  Why was it doing that --- mislabeling on
the pg_dump executable, or what?

            regards, tom lane

Re: SELinux & Redhat

From
Tom Lane
Date:
Peter Eisentraut <peter_e@gmx.net> writes:
> Am Freitag, 6. Mai 2005 16:55 schrieb Bruce Momjian:
>> A blurb about what?  No one else has reported such a problem so we have
>> no reason to assume it isn't a misconfiguration on your end.

> *Countless* people are constantly reporting problems that can be
> attributed to selinux.

That's mostly because selinux outright broke postgres in the initial
FC3 releases :-(.  I have to take most of the blame for this myself;
I didn't realize there might be problems, and didn't test adequately.
I believe the problems are all resolved in the latest Fedora RPMs,
though this pg_dump report may be something new.

            regards, tom lane

Re: SELinux & Redhat

From
Devrim GUNDUZ
Date:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi,

On Fri, 6 May 2005, Tom Lane wrote:

> Jeff - <threshar@torgo.978.org> writes:
>> Eventually we found it was SELinux was preventing pg_dump from
>> producing output.
>
> That's a new one on me.  Why was it doing that --- mislabeling on
> the pg_dump executable, or what?

Looking at the strace report that someone has sent me before, there is a
problem with devices:

===================================================================
<snip>
fstat64(1, {st_mode=S_IFCHR|0666, st_rdev=makedev(1, 3), ...}) = 0
ioctl(1, SNDCTL_TMR_TIMEBASE or TCGETS, 0xbfe16a8c) = -1 ENOTTY
(Inappropriate ioctl for device)
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0xb7dee000
write(1, "pg_dump dumps a database as a te"..., 2367) = 2367
munmap(0xb7dee000, 4096)                = 0
exit_group(0)                           = ?
===================================================================

This one is from a server with SELinux enabled. My server does not produce
this, and uses virtual console (as expected?). However with SELinux
enabled, it wants to use ramdisk (expected? I think no...)

Regards,
- --
Devrim GUNDUZ
devrim~gunduz.org, devrim~PostgreSQL.org, devrim.gunduz~linux.org.tr
http://www.tdmsoft.com.tr                      http://www.gunduz.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFCe45Btl86P3SPfQ4RAhpbAJ0UhBh8dlOEpPsNm2NB1QIJ82X2swCg7JOg
A1OCBrZRHxoOPQo0U9hNdNY=
=ENTC
-----END PGP SIGNATURE-----

Re: SELinux & Redhat

From
Alvaro Herrera
Date:
On Fri, May 06, 2005 at 11:21:26AM -0400, Bruce Momjian wrote:
> Peter Eisentraut wrote:
> > Am Freitag, 6. Mai 2005 16:55 schrieb Bruce Momjian:
> > > A blurb about what?  No one else has reported such a problem so we have
> > > no reason to assume it isn't a misconfiguration on your end.
> >
> > *Countless* people are constantly reporting problems that can be attributed to
> > selinux.  We really need to write something about it.  Of course, most
> > people, including myself, just solve these issues by turning off selinux, but
> > I'd be interested in a more thorough treatment.
>
> Who makes SE Linux?  Is it SuSE?  What would we say in an FAQ?  I would
> rather report something to people using that OS.

It's linux-distribution agnostic.  Redhat is including it on its
distributions, as is Debian.  Not sure about the others but that is
already a large population.  (Of course it's Linux only.)

--
Alvaro Herrera (<alvherre[@]dcc.uchile.cl>)
"Aprende a avergonzarte más ante ti que ante los demás" (Demócrito)

Re: SELinux & Redhat

From
Jeff -
Date:
On May 6, 2005, at 11:23 AM, Tom Lane wrote:

> Jeff - <threshar@torgo.978.org> writes:
>
>> Eventually we found it was SELinux was preventing pg_dump from
>> producing output.
>>
>
> That's a new one on me.  Why was it doing that --- mislabeling on
> the pg_dump executable, or what?
>

We've got a stock CentOS 4 install
I nabbed the rpms I mentioned (8.0.2) (-rw-r--r--  1 root root
2955126 May  4 11:51 postgresql-8.0.2-1PGDG.i686.rpm & company)

from /etc/selinux/targeted/contexts/files/file_contexts I see

file_contexts:/usr/bin/pg_dump  --
system_u:object_r:postgresql_exec_t
file_contexts:/usr/bin/pg_dumpall       --
system_u:object_r:postgresql_exec_t

Syslog logs:

May  6 09:01:25 starslice kernel: audit(1115384485.559:0): avc:
denied  { execute_no_trans } for  pid=4485 exe=/bin/bash path=/usr/
bin/pg_dump dev=sda3 ino=5272966
scontext=user_u:system_r:postgresql_t
tcontext=system_u:object_r:postgresql_exec_t tclass=file


SELinux is on and under system-config-securitylevel's selinux tab,
"SELinux Protection services" disable postgresql is not clicked.

When I run pg_dump w/these settings the following happens running
pg_dump (.broken is hte original file from the rpm)

bash-3.00$ /usr/bin/pg_dump.broken planet
bash-3.00$

Stracing it I get
....
write(1, "file_pkey; Type: CONSTRAINT; Sch"..., 4096) = 4096
write(1, "\n-- Name: userprofile_pkey; Type"..., 4096) = 4096
write(1, "_idx_1 OWNER TO planet;\n\n--\n-- N"..., 4096) = 4096
rt_sigaction(SIGPIPE, {SIG_IGN}, {SIG_DFL}, 8) = 0
send(3, "X\0\0\0\4", 5, 0)              = 5
rt_sigaction(SIGPIPE, {SIG_DFL}, {SIG_IGN}, 8) = 0
close(3)                                = 0
write(1, "me: top3_cmtcount_idx; Type: IND"..., 3992) = 3992
munmap(0xb7df0000, 4096)                = 0
exit_group(0)                           = ?


and what is interesting is it seems only sometimes things get logged
to syslog about the failure.

If I copy the file (not mv) it will work (possibly due to xattrs
being set?)

and if I disable pg checking, (or selinux all together) it works.


COOL, HUH?

--
Jeff Trout <jeff@jefftrout.com>
http://www.jefftrout.com/
http://www.stuarthamm.net/





Re: SELinux & Redhat

From
Tom Lane
Date:
Jeff - <threshar@torgo.978.org> writes:
> When I run pg_dump w/these settings the following happens running
> pg_dump (.broken is hte original file from the rpm)

> bash-3.00$ /usr/bin/pg_dump.broken planet
> bash-3.00$

Does it work if you direct the output into a file, instead of letting it
come to your terminal (which seems a bit useless anyway)?

I've been bugging dwalsh about the fact that the selinux policy
disallows writes to /dev/tty to things it thinks are daemons;
that seems pretty stupid.  But pg_dump isn't a daemon so there's
no reason for it to be restricted this way anyway...

> and what is interesting is it seems only sometimes things get logged
> to syslog about the failure.

Someone told me there's a rate limit on selinux complaints going to
syslog, to keep it from swamping your logs.  I suspect there are some
actual bugs there too, because I've noticed cases where an action was
blocked and there wasn't any log message, nor enough activity to
justify a rate limit.  Feel free to file a bugzilla report if you can
get a reproducible case.

            regards, tom lane

Re: SELinux & Redhat

From
Jeff -
Date:
On May 6, 2005, at 11:57 AM, Tom Lane wrote:
>> bash-3.00$ /usr/bin/pg_dump.broken planet
>> bash-3.00$
>>
>
> Does it work if you direct the output into a file, instead of
> letting it
> come to your terminal (which seems a bit useless anyway)?
>

Interesting.

Redirecting it worked, but I'm pretty sure at one point it didn't
work. (I could also be smoking crack).

Hmm.. piping it into another app worked.

I only found out about this when another developer here tried to run
it and got nothing.

in any case, it might be something useful to jot somewhere.

--
Jeff Trout <jeff@jefftrout.com>
http://www.jefftrout.com/
http://www.stuarthamm.net/