Fedora Linux Support Community & Resources Center

Home Forums Posting Rules Linux Help Fedora Set-Up Guides Ask Fedora Fedora Project
Go Back   FedoraForum.org > Fedora 17/18 > Security and Privacy
Reload this Page Postgresql: SELinux is preventing postmaster (postgresql_t) "read" to ./PG
FedoraForum Search
Forgot Password? Join Us!
Register All Albums FAQ Search Today's Posts Mark Forums Read

Security and Privacy Sadly, malware, spyware, hackers and privacy threats abound in today's world. Let's be paranoid and secure our penguins, and slam the doors on privacy exploits.

Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old 6th July 2008, 02:41 AM
rhancock Offline
Registered User
  
Join Date: Jun 2008
Posts: 9
Postgresql: SELinux is preventing postmaster (postgresql_t) "read" to ./PG
In Fedora 9 I installed the postgresql server package. When I attempt to start the service with:
.sbin/service postgresql start

I receive the security alert below: I tried the restore command and the error persists. I looked at the link on how create create a policy and could not see how to get it work form the instructions. Any suggestions?


Summary:

SELinux is preventing postmaster (postgresql_t) "read" to ./PG_VERSION
(var_lib_t).

Detailed Description:

SELinux denied access requested by postmaster. It is not expected that this
access is required by postmaster and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./PG_VERSION,

restorecon -v './PG_VERSION'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinu...fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context unconfined_u:system_rostgresql_t:s0
Target Context unconfined_u:object_r:var_lib_t:s0
Target Objects ./PG_VERSION [ file ]
Source postmaster
Source Path /usr/bin/postgres
Port <Unknown>
Host localhost.localdomain
Source RPM Packages postgresql-server-8.3.3-2.fc9
Target RPM Packages
Policy RPM selinux-policy-3.3.1-74.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall_file
Host Name localhost.localdomain
Platform Linux localhost.localdomain 2.6.25.9-76.fc9.x86_64
#1 SMP Fri Jun 27 15:58:30 EDT 2008 x86_64 x86_64
Alert Count 3
First Seen Sat 05 Jul 2008 09:15:23 PM EDT
Last Seen Sat 05 Jul 2008 09:34:25 PM EDT
Local ID 372e220c-cfdc-459e-8a18-e3d9cf28de31
Line Numbers

Raw Audit Messages

host=localhost.localdomain type=AVC msg=audit(1215308065.405:56): avc: denied { read } for pid=4251 comm="postmaster" name="PG_VERSION" dev=dm-0 ino=17547287 scontext=unconfined_u:system_rostgresql_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file

host=localhost.localdomain type=SYSCALL msg=audit(1215308065.405:56): arch=c000003e syscall=2 success=no exit=-13 a0=7fffde1638e0 a1=0 a2=1b6 a3=7f07d614c7a0 items=0 ppid=1 pid=4251 auid=500 uid=26 gid=26 euid=26 suid=26 fsuid=26 egid=26 sgid=26 fsgid=26 tty=(none) ses=1 comm="postmaster" exe="/usr/bin/postgres" subj=unconfined_u:system_rostgresql_t:s0 key=(null)
Reply With Quote
  #2  
Old 6th July 2008, 11:21 AM
domg472 Offline
SELinux Contributor
  
Join Date: May 2008
Posts: 621
Where is that PG_VERSION file located exactly? (find / inum=17547287)
The type of that file is wrong

Code:
sh-3.2# ls -alZ /var/lib/sepgsql/data/PG_VERSION
-rw-------  sepgsql sepgsql domg472:object_r:postgresql_db_t /var/lib/sepgsql/data/PG_VERSION
Code:
sh-3.2# /usr/sbin/semanage fcontext -l | grep postgresql_db_t
/var/lib/sepgsql(/.*)?                             all files          system_u:object_r:postgresql_db_t:s0 
/var/lib/postgres(ql)?(/.*)?                       all files          system_u:object_r:postgresql_db_t:s0 
/var/lib/pgsql/data(/.*)?                          all files          system_u:object_r:postgresql_db_t:s0 
/usr/share/jonas/pgsql(/.*)?                       all files          system_u:object_r:postgresql_db_t:s0 
/usr/lib/pgsql/test/regres(/.*)?                   all files          system_u:object_r:postgresql_db_t:s0
Try to restore the context of you PG_VERSION file ( /sbin/restorecon -R -v /path/to/PG_VERSION )

( i am using sepostgresql on f9 and everything apears fine here )
Last edited by domg472; 6th July 2008 at 11:27 AM.
Reply With Quote
  #3  
Old 6th July 2008, 08:29 PM
rhancock Offline
Registered User
  
Join Date: Jun 2008
Posts: 9
Quote:
Originally Posted by domg472
Where is that PG_VERSION file located exactly? (find / inum=17547287)
( i am using sepostgresql on f9 and everything apears fine here )
I tried the restore process and I still received the same error. I downloaded the source, built it, and registred it as a service and everything is fine.

Thanks for the response.
Reply With Quote
  #4  
Old 17th February 2012, 08:53 AM
gngotho Offline
Registered User
  
Join Date: Feb 2012
Location: Kenya
Posts: 1
linuxchrome
Re: Postgresql: SELinux is preventing postmaster (postgresql_t) "read" to ./PG
Am having trouble using sepostgresql.

What I want is to set controll on update/delete of some columns on specific
tables on my database.

I have configured sepostgres, but i tried to test by creating a test db
'testdb', but when I try to execute SELECT datname, security_context FROM
pg_database
WHERE datname = 'testdb';

I get the following output: ERROR: column "security_context" does not
exist
LINE 1: SELECT datname, security_context FROM pg_database

Someone help me Identify what am not doing right. Thank you
Reply With Quote
Reply

Tags
or pg, postgresql, postgresqlt, postmaster, preventing, read, selinux

« Previous Thread | Next Thread »
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
SELinux is preventing iptables-save (iptables_t) "read write" unconfined_t. Thaidog Security and Privacy 11 5th March 2009 10:22 AM
Should I be worried: SELinux is preventing sshd (sshd_t) "search" crond_t pza Security and Privacy 1 27th January 2009 09:43 AM
SELinux is preventing rpcbind (rpcbind_t) "setgid" rpcbind_t. dan sawyer Using Fedora 2 16th December 2008 04:18 PM
SELinux preventing "recv_msg" greno Using Fedora 4 11th April 2008 04:25 AM
""Unable to read version lock configuration: [Errno 5]"" PHILLIPE Using Fedora 4 30th April 2007 03:32 PM


Current GMT-time: 21:24 (Thursday, 23-05-2013)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.
Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

 FedoraForum is Powered by RedHat