Thread: SELinux problem rsync'ing WAL logs

Ok, this is not strictly a PostgreSQL issue,

but I am trying to enable WAL log shipping on our PostgreSQL 8.1.10
(upgrade to 8.3.7 is in the works).

My archive_command is 'rsync %p postgres@node2:/file/to/$f </dev/null'

This works fine only if and only if SE Linux is disabled on node 1
(the source node).

I am running Fedora Core 6 on node 1.  (Upgrade to CentOS 5.2 is in the works.)

I used audit2allow on the SELinux messages, and generated an SE Linux
module to allow
Postgres to rsync the files out...

allow postgresql_t ssh_exec_t:file { read execute execute_no_trans };
allow postgresql_t ssh_port_t:tcp_socket name_connect;
allow postgresql_t user_home_t:dir { search getattr };
allow postgresql_t user_home_t:file { read getattr };

But this still does now work.  (Works fine if I disable SELinux, by the way.)

The error I get is:


LOG:  archive command "/usr/local/bin/rsync -e /usr/bin/ssh
pg_xlog/000000010000001D00000015
postgres@node2:WAL/000000010000001D00000015 </dev/null" failed: return
code 65280
Could not create directory '/home/postgres/.ssh'.
Host key verification failed.
rsync: connection unexpectedly closed (0 bytes received so far) [sender]
rsync error: unexplained error (code 255) at io.c(632) [sender=3.0.4]

If anybody has any clue as to whats going on here, I would sure
appreciate your help.

"ssh node2" works fine from node1, I log in using key-based authentication

What stumps me is there are no further complaints from SELinux, but
clearly SELinux is blocking the connection.

I think I'll ask on the SELinux list as well.   But if anybody here
has a clue, please give me a shout.

Best,
-at



--
Aleksey Tsalolikhin
UNIX System Administrator
"I get stuff done!"
http://www.verticalsysadmin.com/
LinkedIn - http://www.linkedin.com/in/atsaloli

On Tue, Mar 31, 2009 at 9:18 PM, Aleksey Tsalolikhin
<atsaloli.tech@gmail.com> wrote:

> Could not create directory '/home/postgres/.ssh'.
> Host key verification failed.

Have you tested "ssh node2" as the postgres user with SELinux enabled?
This looks like ssh failing to access the .ssh directory where it
keeps host keys (the known_keys file) and dying as a result. None of
the SELinux module setup lines seem to cover that, so you may want to
see if there's an SELinux failure for ssh in the audit log that could
give you a clue as to what needs to be allowed.

--
- David T. Wilson
david.t.wilson@gmail.com

On Tue, Mar 31, 2009 at 6:35 PM, David Wilson <david.t.wilson@gmail.com> wrote:
> On Tue, Mar 31, 2009 at 9:18 PM, Aleksey Tsalolikhin
> <atsaloli.tech@gmail.com> wrote:
>
>> Could not create directory '/home/postgres/.ssh'.
>> Host key verification failed.
>
> Have you tested "ssh node2" as the postgres user with SELinux enabled?

Yes, I have, it works fine.  With SELinux enabled.  That's why I've
been tearing my hair out.

There must be a different SELinux behavior when the postgres database
server tries to do it.

Thanks for your reply!
--
Aleksey Tsalolikhin
UNIX System Administrator
"I get stuff done!"
http://www.verticalsysadmin.com/
LinkedIn - http://www.linkedin.com/in/atsaloli

Aleksey Tsalolikhin <atsaloli.tech@gmail.com> writes:
> On Tue, Mar 31, 2009 at 6:35 PM, David Wilson <david.t.wilson@gmail.com> wrote:
>> Have you tested "ssh node2" as the postgres user with SELinux enabled?

> Yes, I have, it works fine.  With SELinux enabled.  That's why I've
> been tearing my hair out.

Ah, well, you need to understand one of the first points about SELinux:
the standard policy is designed to constrain daemon processes, not
interactive processes.  So you can run some command when logged in as
postgres, and whether that works has nothing whatever to do with whether
SELinux will let the postgres daemon do it.

> I am running Fedora Core 6 on node 1.  (Upgrade to CentOS 5.2 is in
> the works.)

Yes, I'd suggest getting off FC6 soon.  In my experience the SELinux
policy didn't start to "just work" until around FC8.  In particular
I recall that FC6 had a bad habit of trying to rate-limit AVC messages
to the point where you could not figure out whether (much less why)
it was denying any particular thing you tried.

My advice is don't even bother trying to debug this on FC6.  Get onto a
newer platform with a less buggy SELinux implementation, or just turn
off SELinux.

            regards, tom lane

Dear Tom,

  Thanks for your reply and insight!  I much appreciate it.  I certainly look
forward to getting off FC6!  In the meantime, I did get it to work -
I remembered SELinux protects /home directories especially.
So I moved "postgres" user's home directory from /home/postgres
to /data/postgres, and the WAL rsync works now under SELinux.

  Thanks again!  Very helpful!

Best,
-at