Thread: SELinux problem rsync'ing WAL logs
Ok, this is not strictly a PostgreSQL issue, but I am trying to enable WAL log shipping on our PostgreSQL 8.1.10 (upgrade to 8.3.7 is in the works). My archive_command is 'rsync %p postgres@node2:/file/to/$f </dev/null' This works fine only if and only if SE Linux is disabled on node 1 (the source node). I am running Fedora Core 6 on node 1. (Upgrade to CentOS 5.2 is in the works.) I used audit2allow on the SELinux messages, and generated an SE Linux module to allow Postgres to rsync the files out... allow postgresql_t ssh_exec_t:file { read execute execute_no_trans }; allow postgresql_t ssh_port_t:tcp_socket name_connect; allow postgresql_t user_home_t:dir { search getattr }; allow postgresql_t user_home_t:file { read getattr }; But this still does now work. (Works fine if I disable SELinux, by the way.) The error I get is: LOG: archive command "/usr/local/bin/rsync -e /usr/bin/ssh pg_xlog/000000010000001D00000015 postgres@node2:WAL/000000010000001D00000015 </dev/null" failed: return code 65280 Could not create directory '/home/postgres/.ssh'. Host key verification failed. rsync: connection unexpectedly closed (0 bytes received so far) [sender] rsync error: unexplained error (code 255) at io.c(632) [sender=3.0.4] If anybody has any clue as to whats going on here, I would sure appreciate your help. "ssh node2" works fine from node1, I log in using key-based authentication What stumps me is there are no further complaints from SELinux, but clearly SELinux is blocking the connection. I think I'll ask on the SELinux list as well. But if anybody here has a clue, please give me a shout. Best, -at -- Aleksey Tsalolikhin UNIX System Administrator "I get stuff done!" http://www.verticalsysadmin.com/ LinkedIn - http://www.linkedin.com/in/atsaloli
On Tue, Mar 31, 2009 at 9:18 PM, Aleksey Tsalolikhin <atsaloli.tech@gmail.com> wrote: > Could not create directory '/home/postgres/.ssh'. > Host key verification failed. Have you tested "ssh node2" as the postgres user with SELinux enabled? This looks like ssh failing to access the .ssh directory where it keeps host keys (the known_keys file) and dying as a result. None of the SELinux module setup lines seem to cover that, so you may want to see if there's an SELinux failure for ssh in the audit log that could give you a clue as to what needs to be allowed. -- - David T. Wilson david.t.wilson@gmail.com
On Tue, Mar 31, 2009 at 6:35 PM, David Wilson <david.t.wilson@gmail.com> wrote: > On Tue, Mar 31, 2009 at 9:18 PM, Aleksey Tsalolikhin > <atsaloli.tech@gmail.com> wrote: > >> Could not create directory '/home/postgres/.ssh'. >> Host key verification failed. > > Have you tested "ssh node2" as the postgres user with SELinux enabled? Yes, I have, it works fine. With SELinux enabled. That's why I've been tearing my hair out. There must be a different SELinux behavior when the postgres database server tries to do it. Thanks for your reply! -- Aleksey Tsalolikhin UNIX System Administrator "I get stuff done!" http://www.verticalsysadmin.com/ LinkedIn - http://www.linkedin.com/in/atsaloli
Aleksey Tsalolikhin <atsaloli.tech@gmail.com> writes: > On Tue, Mar 31, 2009 at 6:35 PM, David Wilson <david.t.wilson@gmail.com> wrote: >> Have you tested "ssh node2" as the postgres user with SELinux enabled? > Yes, I have, it works fine. With SELinux enabled. That's why I've > been tearing my hair out. Ah, well, you need to understand one of the first points about SELinux: the standard policy is designed to constrain daemon processes, not interactive processes. So you can run some command when logged in as postgres, and whether that works has nothing whatever to do with whether SELinux will let the postgres daemon do it. > I am running Fedora Core 6 on node 1. (Upgrade to CentOS 5.2 is in > the works.) Yes, I'd suggest getting off FC6 soon. In my experience the SELinux policy didn't start to "just work" until around FC8. In particular I recall that FC6 had a bad habit of trying to rate-limit AVC messages to the point where you could not figure out whether (much less why) it was denying any particular thing you tried. My advice is don't even bother trying to debug this on FC6. Get onto a newer platform with a less buggy SELinux implementation, or just turn off SELinux. regards, tom lane
Dear Tom, Thanks for your reply and insight! I much appreciate it. I certainly look forward to getting off FC6! In the meantime, I did get it to work - I remembered SELinux protects /home directories especially. So I moved "postgres" user's home directory from /home/postgres to /data/postgres, and the WAL rsync works now under SELinux. Thanks again! Very helpful! Best, -at