Trouble starting postgresql

Paul Howarth paul at city-fan.org
Tue May 30 16:10:14 UTC 2006 

Alan M. Evans wrote:
> On Sat, 2006-05-27 at 01:34, Paul Howarth wrote:
>> On Fri, 2006-05-26 at 15:24 -0700, Alan M. Evans wrote:
>>> On Fri, 2006-05-26 at 02:28, Paul Howarth wrote:
>>>> Alan M. Evans wrote:
>>>>> On Wed, 2006-05-24 at 02:31, Paul Howarth wrote:
>>>>>> Alan M. Evans wrote:
>>>>>>> On Tue, 2006-05-23 at 12:05, Andreas Roth wrote:
>>>>>>>> i had the same problem on my FC4 system. The problem is caused by SELinux. You 
>>>>>>>> can just disable SELinux on the whole system or disable SELinux for 
>>>>>>>> postgresql. 
>>>>>>>> The proper way would be to set the correct security contexts to 
>>>>>>>> the /home/pgsql directory (using ls -Z and chcon). I haven't tried this, but 
>>>>>>>> AFAIK it should work.
>>>>>>> Thanks. Disabling SELinux for postgresql allowed service startup.
>>>>>> I hope you used permissive mode rather than fully disabling SELinux. 
>>>>>> Otherwise, you'll be in for a long wait whilst your whole system is 
>>>>>> relabelled if you re-enabled SELinux.
>>>>> Well, disabled only for postgresql, as per the checkbox in
>>>>> system-config-securitylevel. I don't think this will be a problem at
>>>>> present -- there's nothing on the system worth compromising. And the
>>>>> firewall should prevent the outside world accessing the database
>>>>> directly. Nothing on the webserver exposes the database yet.
>>>>>
>>>>> This thread is about me trying to understand and setup the security
>>>>> properly so that the server can one day safely face the world.
>>>>>
>>>>>>> Although I feel a bit creepy about disabling security in order to get
>>>>>>> something working. Kind of like leaving one particular door unlocked so
>>>>>>> the janitor can get in...
>>>>>> Yes, I agree.
>>>>>>
>>>>>>> I jacked around with the file security contexts with no luck. I hold
>>>>>>> onto the hope that this can be made to work: SELinux and postgresql
>>>>>>> living in harmony. Does anyone have a pointer to a crash course in
>>>>>>> configuring SELinux security contexts?
>>>>>> Compare the file contexts of the default location for the files with the 
>>>>>> file contexts you have in your new location.
>>>>>>
>>>>>> $ ls -lZa /home/pgsql
>>>>>>
>>>>>> Repeat for the default locations of everything you moved. Post the 
>>>>>> output you get.
>>>>> [root at citadel ~]# ls -lZa /home/pgsql
>>>>> drwx--x--x  postgres postgres system_u:object_r:user_home_dir_t .
>>>>> drwxr-xr-x  root     root     system_u:object_r:home_root_t    ..
>>>>> drwx------  postgres postgres system_u:object_r:postgresql_db_t data
>>>>> -rw-------  postgres postgres system_u:object_r:postgresql_log_t
>>>>> pgstartup.log
>>>>> [root at citadel ~]# ls -lZa /var/lib/pgsql
>>>>> drwx------  postgres postgres system_u:object_r:var_lib_t      .
>>>>> drwxr-xr-x  root     root     system_u:object_r:var_lib_t      ..
>>>>> drwx------  postgres postgres system_u:object_r:var_lib_t      backups
>>>>> drwx------  postgres postgres system_u:object_r:postgresql_db_t data
>>>>> -rw-------  postgres postgres system_u:object_r:postgresql_log_t
>>>>> pgstartup.log
>>>>> [root at citadel ~]#
...
>>>> What I suggest you do is:
>>>>
>>>> 1. Re-enable SELinux for postgresql.
>>>> 2. Put SELinux in permissive mode rather than enforcing.
>>>> 3. Fix all of the file context labels so that they're appropriate (I 
>>>> think this may already be the case judging from what you show above)
>>>> 4. Make a note of the time.
>>>> 5. Start postgresql. It should work because SELinux is in permissive 
>>>> mode. Do some example work typical of what you'd be using the database 
>>>> for. Then stop postgresql.
>>>> 6. There will be a bunch of "avc:  denied" messages in /var/log/messages 
>>>> (or /var/log/audit/audit.log if auditd is running). Post the ones from 
>>>> after the time you noted in step 4. From that it should be possible to 
>>>> make a local policy module that will fix the SELinux problems and enable 
>>>> you to run in enforcing mode again.
>>> Setting SELinux into Permissive mode produces no "avc: anything"
>>> messages in /var/log/messages. (Audit is not installed on my server.)
>>> Switching back to Enforcing mode produces a bunch of audit messages, but
>>> none while I'm starting, stopping, or using the database.
>>>
>>> In Enforcing mode, failed attempts to start postgresql (because
>>> postgresql is not excluded from SELinux policy) also produce no audit
>>> messages.
>> This is very strange. Some (expected and normally harmless) denials are
>> "dontaudit-ed" in policy so they don't fill up logs. These can be logged
>> if you do:
>>
>> # emodule -b /usr/share/selinux/targeted/enableaudit.pp
> 
> Ok. Did this. SELinux set to Enforcing, not excluding postgresql. Tried
> starting postgresql, got one message:
> 
> May 30 08:07:51 citadel kernel: audit(1149001671.780:351): avc:  denied 
> { search } for  pid=2403 comm="postmaster" name="/" dev=hda3 ino=2
> scontext=root:system_r:postgresql_t:s0
> tcontext=system_u:object_r:home_root_t:s0 tclass=dir

I think this is postgresql denied being able to read directory /home 
(/dev/hda3?). This one is to be expected really, and will need to be 
allowed for using a local policy tweak.

> I get these again after setting policy to Permissive and attempting
> (successfully) to start the service:
> 
> May 30 08:13:52 citadel kernel: audit(1149002032.907:352): avc: 
> granted  { setenforce } for  pid=2441 comm="setenforce"
> scontext=system_u:system_r:unconfined_t:s0
> tcontext=system_u:object_r:security_t:s0 tclass=security

That's you being granted permission to set permissive mode.

> May 30 08:14:01 citadel kernel: audit(1149002041.671:353): avc:  denied 
> { search } for  pid=2475 comm="postmaster" name="/" dev=hda3 ino=2
> scontext=root:system_r:postgresql_t:s0
> tcontext=system_u:object_r:home_root_t:s0 tclass=dir

That's the same one as above.

> May 30 08:14:01 citadel kernel: audit(1149002041.671:354): avc:  denied 
> { search } for  pid=2475 comm="postmaster" name="pgsql" dev=hda3
> ino=3568225 scontext=root:system_r:postgresql_t:s0
> tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir

That's postgresql being denied access to read directory /home/pgsql, 
which should probably have context var_lib_t rather than user_home_dir_t 
in order to line up with the original location.

> May 30 08:14:02 citadel kernel: audit(1149002042.224:355): avc:  denied 
> { search } for  pid=2475 comm="postmaster" name="/" dev=hda3 ino=2
> scontext=root:system_r:postgresql_t:s0
> tcontext=system_u:object_r:home_root_t:s0 tclass=dir

That's the same as the first one again.

If that's all you have, it shouldn't be difficult to fix.

Set yourself up for making local policy modules:

# yum install checkpolicy
# cd /root
# mkdir selinux.local
# cd selinux.local
# chcon -R -t usr_t .
# ln -s /usr/share/selinux/devel/Makefile .

Make a local policy module for this issue, in this directory:

1. Create a file postgresql.te with this content:

module postgresql 0.1;

require {
         class dir search;
         class lnk_file read;

         type home_root_t;
         type postgresql_t;
         type var_lib_t;
};

# Allow postgresql to read /var/lib/pgsql -> /home/pgsql symlink
# if present
allow postgresql_t var_lib_t:lnk_file read;

# Allow postgresql to search directory /home
allow postgresql_t home_root_t:dir search;

2. Create a file postgresql.fc with this content:

/home/pgsql                     -d 
gen_context(system_u:object_r:var_lib_t,s0)
/home/pgsql/data(/.*)? 
gen_context(system_u:object_r:postgresql_db_t,s0)
/home/pgsql/pgstartup.log       -- 
gen_context(system_u:object_r:postgresql_log_t,s0)

(that's three long lines)

3. Create an empty postgresql.if file:

# touch postgresql.if

4. Build the policy module

# make

Install your new policy module:

# semodule -i postgresql.pp

Fix file contexts:

# restorecon -Rv /home/pgsql

Hopefully that should get you going in enforcing mode.

Paul.

More information about the fedora-list mailing list