Thread: Can't start PostgreSQL on Fedora Core3

Hi,

it seems selinix doesn't like postgres. Can I uninstall selinux from
fedora savely? OR is there any way to make them both work together?

Here is my error message:

Mar  9 14:20:33 localhost kernel: audit(1110374433.961:0): avc:  denied
  { read } for  pid=9251 exe=/usr/bin/postgres name=PG_VERSION dev=dm-1
ino=1255016 scontext=user_u:system_r:postgresql_t
tcontext=root:object_r:var_lib_t tclass=file

Any ideas are welcome!

Thanks

Ulrich

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi,

Are you using the latest selinux_policy_targeted package? I mean, is your
system up2date?

Regards,
On Wed, 9 Mar 2005, Ulrich Wisser wrote:

> Hi,
>
> it seems selinix doesn't like postgres. Can I uninstall selinux from fedora
> savely? OR is there any way to make them both work together?
>
> Here is my error message:
>
> Mar  9 14:20:33 localhost kernel: audit(1110374433.961:0): avc:  denied  {
> read } for  pid=9251 exe=/usr/bin/postgres name=PG_VERSION dev=dm-1
> ino=1255016 scontext=user_u:system_r:postgresql_t
> tcontext=root:object_r:var_lib_t tclass=file
>
> Any ideas are welcome!
>
> Thanks
>
> Ulrich
>
> ---------------------------(end of broadcast)---------------------------
> TIP 6: Have you searched our list archives?
>
>              http://archives.postgresql.org
>

- --
Devrim GUNDUZ
devrim~gunduz.org, devrim~PostgreSQL.org, devrim.gunduz~linux.org.tr
http://www.tdmsoft.com                         http://www.gunduz.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFCLvoUtl86P3SPfQ4RAhtKAJ9PAU+3IjRq4oo032ZiXaL9omQmUgCffJ36
yTiQ1KHu33RGd6aHAdhqrWw=
=wKRE
-----END PGP SIGNATURE-----

Sorry,

of course I forgot to mention my installed version. Please find them below:

postgresql-jdbc-7.4.7-3.FC3.1
postgresql-odbc-7.3-8.FC3.1
postgresql-test-7.4.7-3.FC3.1
postgresql-devel-7.4.7-3.FC3.1
postgresql-contrib-7.4.7-3.FC3.1
postgresql-python-7.4.7-3.FC3.1
postgresql-7.4.7-3.FC3.1
postgresql-pl-7.4.7-3.FC3.1
postgresql-server-7.4.7-3.FC3.1
postgresql-tcl-7.4.7-3.FC3.1
postgresql-libs-7.4.7-3.FC3.1
postgresql-docs-7.4.7-3.FC3.1

selinux-policy-targeted-1.17.30-2.85

up2date insists that these packages are all up to date.

Ulrich

Devrim GUNDUZ wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Hi,
>
> Are you using the latest selinux_policy_targeted package? I mean, is
> your system up2date?
>
> Regards,
> On Wed, 9 Mar 2005, Ulrich Wisser wrote:
>
>> Hi,
>>
>> it seems selinix doesn't like postgres. Can I uninstall selinux from
>> fedora savely? OR is there any way to make them both work together?
>>
>> Here is my error message:
>>
>> Mar  9 14:20:33 localhost kernel: audit(1110374433.961:0): avc:
>> denied  { read } for  pid=9251 exe=/usr/bin/postgres name=PG_VERSION
>> dev=dm-1 ino=1255016 scontext=user_u:system_r:postgresql_t
>> tcontext=root:object_r:var_lib_t tclass=file
>>
>> Any ideas are welcome!
>>
>> Thanks
>>
>> Ulrich
>>
>> ---------------------------(end of broadcast)---------------------------
>> TIP 6: Have you searched our list archives?
>>
>>              http://archives.postgresql.org
>>
>
> - --
> Devrim GUNDUZ devrim~gunduz.org, devrim~PostgreSQL.org,
> devrim.gunduz~linux.org.tr
> http://www.tdmsoft.com                         http://www.gunduz.org
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (GNU/Linux)
>
> iD8DBQFCLvoUtl86P3SPfQ4RAhtKAJ9PAU+3IjRq4oo032ZiXaL9omQmUgCffJ36
> yTiQ1KHu33RGd6aHAdhqrWw=
> =wKRE
> -----END PGP SIGNATURE-----


--
Ulrich Wisser

RELEVANT TRAFFIC SWEDEN AB, Riddarg 17A, SE-114 57 Sthlm, Sweden
Direct (+46)86789755 || Cell (+46)704467893 || Fax (+46)86789769
________________________________________________________________
http://www.relevanttraffic.com

On Wed, 09 Mar 2005 14:38:06 +0100, Ulrich Wisser
<ulrich.wisser@relevanttraffic.se> wrote:
> Sorry,
>
> of course I forgot to mention my installed version. Please find them below:
>
> postgresql-jdbc-7.4.7-3.FC3.1
> postgresql-odbc-7.3-8.FC3.1
> postgresql-test-7.4.7-3.FC3.1
> postgresql-devel-7.4.7-3.FC3.1
> postgresql-contrib-7.4.7-3.FC3.1
> postgresql-python-7.4.7-3.FC3.1
> postgresql-7.4.7-3.FC3.1
> postgresql-pl-7.4.7-3.FC3.1
> postgresql-server-7.4.7-3.FC3.1
> postgresql-tcl-7.4.7-3.FC3.1
> postgresql-libs-7.4.7-3.FC3.1
> postgresql-docs-7.4.7-3.FC3.1
>
> selinux-policy-targeted-1.17.30-2.85
>
> up2date insists that these packages are all up to date.

And you're certain that you're using the targetted policy and not strict?

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
L. Friedman                                    netllama@gmail.com
LlamaLand                       http://netllama.linux-sxs.org

Ulrich Wisser wrote:
> Mar  9 14:20:33 localhost kernel: audit(1110374433.961:0): avc:  denied
>  { read } for  pid=9251 exe=/usr/bin/postgres name=PG_VERSION dev=dm-1
> ino=1255016 scontext=user_u:system_r:postgresql_t
> tcontext=root:object_r:var_lib_t tclass=file

Try running 'restorecon -n -R -v /var/lib/pgsql'.  If it suggests
changes that appear to make sense, run 'restorecon -R -v
/var/lib/pgsql'.

HTH

--
========================================================================
Ian Pilcher                                        i.pilcher@comcast.net
========================================================================

Ulrich Wisser <ulrich.wisser@relevanttraffic.se> writes:
> it seems selinix doesn't like postgres. Can I uninstall selinux from
> fedora savely? OR is there any way to make them both work together?

They should work together as long as you have the latest PG RPMs (which
it seems you do) and a reasonably recent selinux-policy-targeted.

One problem is that selinux-policy-targeted updates don't necessarily
propagate to the security labels of the individual files.  I think what
you need to do here is
    sudo /sbin/restorecon -R /var/lib/pgsql
to ensure that /var/lib/pgsql and all its contents are correctly labeled
per your current installed selinux policy.  The reason for thinking
this is that your error message suggests that
/var/lib/pgsql/data/PG_VERSION is labeled root:object_r:var_lib_t,
which I think is the generic default for files under /var/lib,
while in my (working;-)) install it's labeled postgresql_db_t:
$ sudo ls -Z /var/lib/pgsql/data/PG_VERSION
-rw-------  postgres postgres root:object_r:postgresql_db_t    /var/lib/pgsql/data/PG_VERSION

There's some history and info about variant problems at
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=143208

            regards, tom lane

Tom Lane wrote:
>
> One problem is that selinux-policy-targeted updates don't necessarily
> propagate to the security labels of the individual files.

Sounds like it might be a good idea to add a trigger to the PostgreSQL
RPM to run restorecon when the SELinux policy is updated.

--
========================================================================
Ian Pilcher                                        i.pilcher@comcast.net
========================================================================

Lonni J Friedman wrote:

>>selinux-policy-targeted-1.17.30-2.85
>>
>>up2date insists that these packages are all up to date.
>
>
> And you're certain that you're using the targetted policy and not strict?

To be frank, I am not. I have not the slightest idea what all that
selinux is about (beside security in general). I just went with the
default install and here I am.

Ulrich

--
Ulrich Wisser

RELEVANT TRAFFIC SWEDEN AB, Riddarg 17A, SE-114 57 Sthlm, Sweden
Direct (+46)86789755 || Cell (+46)704467893 || Fax (+46)86789769
________________________________________________________________
http://www.relevanttraffic.com

Hi Tom,

>     sudo /sbin/restorecon -R /var/lib/pgsql

worked like a charm!

Thank you very much!

Ulrich

--
Ulrich Wisser

RELEVANT TRAFFIC SWEDEN AB, Riddarg 17A, SE-114 57 Sthlm, Sweden
Direct (+46)86789755 || Cell (+46)704467893 || Fax (+46)86789769
________________________________________________________________
http://www.relevanttraffic.com