Thread: replication breaks with CentOS 6.4 upgrade

Postgres 9.2 was happily replicating until I upgraded the server from CentOS 6.3 to 6.4. Log error shows

2013-05-06 23:51:35 EDT [19421]: [206-1] user=,db=,remote= LOG:  archive command failed with exit code 14
2013-05-06 23:51:35 EDT [19421]: [207-1] user=,db=,remote= DETAIL:  The failed archive command was: rsync --whole-file
--ignore-existing--delete-after -a pg_xlog/000000010000006B00000016 backup:/archive/000000010000006B00000016 
rsync: Failed to exec ssh: Permission denied (13)
rsync error: error in IPC code (code 14) at pipe.c(84) [sender=3.0.6]
rsync: connection unexpectedly closed (0 bytes received so far) [sender]
rsync error: error in IPC code (code 14) at io.c(600) [sender=3.0.6]

Foiled again by SELinux permissions:

type=AVC msg=audit(1367932037.676:10325): avc:  denied  { search } for  pid=2567 comm="rsync" name="pgsql" dev=dm-0
ino=664822scontext=unconfined_u:system_r:rsync_t:s0 tcontext=system_u:object_r:postgresql_db_t:s0 tclass=dir 
type=SYSCALL msg=audit(1367932037.676:10325): arch=c000003e syscall=2 success=no exit=-13 a0=1ebd330 a1=0 a2=e a3=4
items=0ppid=2433 pid=2567 auid=0 uid=26 gid=26 euid=26 suid=26 fsuid=26 egid=26 sgid=26 fsgid=26 tty=(none) ses=57
comm="rsync"exe="/usr/bin/rsync" subj=unconfined_u:system_r:rsync_t:s0 key=(null) 
type=AVC msg=audit(1367932037.677:10326): avc:  denied  { execute } for  pid=2568 comm="rsync" name="ssh" dev=dm-0
ino=266187scontext=unconfined_u:system_r:rsync_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file 
type=SYSCALL msg=audit(1367932037.677:10326): arch=c000003e syscall=59 success=no exit=-13 a0=7fff1686fa27
a1=7fff1686fb60a2=7fff16872d38 a3=7fff1686f860 items=0 ppid=2567 pid=2568 auid=0 uid=26 gid=26 euid=26 suid=26 fsuid=26
egid=26sgid=26 fsgid=26 tty=(none) ses=57 comm="rsync" exe="/usr/bin/rsync" subj=unconfined_u:system_r:rsync_t:s0
key=(null)


I found there is a boolean for postgres and rsync and tried

setsebool -P postgresql_can_rsync 1


but replication still failed to work. There must be more required related to ssh and/or rsync. Anyone solved this
(withoutjust disabling SELinux)? 

Thanks,

John DeSoi, Ph.D.

John DeSoi <desoi@pgedit.com> writes:
> Foiled again by SELinux permissions:

> type=AVC msg=audit(1367932037.676:10325): avc:  denied  { search } for  pid=2567 comm="rsync" name="pgsql" dev=dm-0
ino=664822scontext=unconfined_u:system_r:rsync_t:s0 tcontext=system_u:object_r:postgresql_db_t:s0 tclass=dir 
> type=SYSCALL msg=audit(1367932037.676:10325): arch=c000003e syscall=2 success=no exit=-13 a0=1ebd330 a1=0 a2=e a3=4
items=0ppid=2433 pid=2567 auid=0 uid=26 gid=26 euid=26 suid=26 fsuid=26 egid=26 sgid=26 fsgid=26 tty=(none) ses=57
comm="rsync"exe="/usr/bin/rsync" subj=unconfined_u:system_r:rsync_t:s0 key=(null) 
> type=AVC msg=audit(1367932037.677:10326): avc:  denied  { execute } for  pid=2568 comm="rsync" name="ssh" dev=dm-0
ino=266187scontext=unconfined_u:system_r:rsync_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file 
> type=SYSCALL msg=audit(1367932037.677:10326): arch=c000003e syscall=59 success=no exit=-13 a0=7fff1686fa27
a1=7fff1686fb60a2=7fff16872d38 a3=7fff1686f860 items=0 ppid=2567 pid=2568 auid=0 uid=26 gid=26 euid=26 suid=26 fsuid=26
egid=26sgid=26 fsgid=26 tty=(none) ses=57 comm="rsync" exe="/usr/bin/rsync" subj=unconfined_u:system_r:rsync_t:s0
key=(null)

> I found there is a boolean for postgres and rsync and tried
> setsebool -P postgresql_can_rsync 1
> but replication still failed to work. There must be more required related to ssh and/or rsync. Anyone solved this
(withoutjust disabling SELinux)? 

Short term: use audit2allow to generate custom policy tweaks that
allow these specific operations.

Longer term: file a bug in Red Hat's bugzilla against
selinux-policy-targeted.  That boolean should allow this, one would
think, or else there should be another one that does.

            regards, tom lane