----- Original Message -----
> From: "Daniel J Walsh" <dwa...@redhat.com>
> To: "Eli Mesika" <emes...@redhat.com>
> Cc: "Yair Zaslavsky" <yzasl...@redhat.com>, "Barak Azulay"
> <bazu...@redhat.com>, "engine-devel"
> <engine-devel@ovirt.org>
> Sent: Tuesday, June 18, 2013 12:15:09 AM
> Subject: Re: SELinux problem
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 06/17/2013 03:17 PM, Eli Mesika wrote:
> >
> >
> > ----- Original Message -----
> >> From: "Daniel J Walsh" <dwa...@redhat.com> To: "Eli Mesika"
> >> <emes...@redhat.com> Cc: "Yair Zaslavsky" <yzasl...@redhat.com>, "Barak
> >> Azulay" <bazu...@redhat.com>, "engine-devel" <engine-devel@ovirt.org>
> >> Sent: Monday, June 17, 2013 6:51:23 PM Subject: Re: SELinux problem
> >>
> > On 06/17/2013 08:49 AM, Eli Mesika wrote:
> >>>> Hi
> >>>>
> >>>> I am using SELinux Enforcing mode on Fedora 18
> >>>> (selinux-policy-3.11.1-97.fc18.noarch)
> >>>>
> >>>> As part as our Postgres DB restore we have to
> >>>>
> >>>> 1) Open a postgres backup packed as a TAR file 2) Restore the
> >>>> database from those files after unpacking with tar xvf.
> >>>>
> >>>> I have found that I get a Permission Denied when trying to restore
> >>>> the database data files. After investigation , I had found that
> >>>> running : setenforce 0 the restore completes with no errors. Further
> >>>> investigation shows that when I am extracting the TAR file , I have
> >>>> to set the same SELinux context as in /var/lib/pgsql/data directory ,
> >>>> i.e. unconfined_u:object_r:postgresql_db_t:s0
> >>>>
> >>>> I had tried to do that with chcon :
> >>>>
> >>>> chcon -u unconfined_u -r object_r -t postgresql_db_t <file>
> >>>>
> >>>> This was failed (also when running with root privileges) and
> >>>> audit2why --all shows a lot of those errors :
> >>>>
> >>>> type=AVC msg=audit(1371464569.023:671): avc: denied { relabelto }
> >>>> for pid=18144 comm="chcon" name="toc.dat" dev="tmpfs" ino=117639
> >>>> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> >>>> tcontext=system_u:system_r:postgresql_t:s0 tclass=file Was caused
> >>>> by: Missing type enforcement (TE) allow rule.
> >>>>
> >>>> You can use audit2allow to generate a loadable module to allow this
> >>>> access.
> >>>>
> >>>>
> >>>> After goggling around that , I found an article by you:
> >>>>
> >>>> https://docs.fedoraproject.org/en-US/Fedora/11/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow.html
> >>>>
> >>>>
> >>>>
> It says : "Missing Type Enforcement rules are usually caused by bugs in
> >>>> SELinux policy, and should be reported in Red Hat Bugzilla. For
> >>>> Fedora, create bugs against the Fedora product, and select the
> >>>> selinux-policy component. Include the output of the audit2allow -w -a
> >>>> and audit2allow -a commands in such bug reports. "
> >>>>
> >>>> Should I open a BZ on that ?
> >>>>
> >>>> The TAR I am using is attached. (I am opening it with tar xvf and
> >>>> trying to change the context to desired context as explained above)
> >>>>
> >>>> Thanks
> >>>>
> >>>> Eli
> >>>>
> >>>>
> >>>>
> >>>>
> > Just untar the files and run restorecon -R on them
> >
> > restorecon -R PATH
> >
> >> Thanks for the quick response I had tried it and nothing happen , same
> >> results So I had tried with -RVVF flags and got the following
> >
> >> restorecon: Warning no default label for
> >> /tmp/db/00579652_221211073824_pgdump.tar_dir/3622.dat
> >
> >> ( this appears on each file of the extracted files )
> >
> >> So, it seems that the pg_dump did not set the correct SELinux defaults on
> >> those file when packaging them , right ?
> >
> >> Any workaround to get out of that...
> >
> >> Thanks again
> >
> >> Eli
> >
> >
> >
> >
> > SHould put the default labels on the content.
> >>
>
> Why are you storing your postgresql database on a /tmp directory?
>
> If you put it in the normal places, it would have worked.
The reason is that this is a backup file from which I have to restore the
database.
>
> If you must have it there then you need to label it with
>
> chcon -Rt postgresql_db_t /tmp/db
That worked !!!, thank you very much for your kind help.
>
> Will change the label to be useable by postgresql.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.13 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iEYEARECAAYFAlG/fF0ACgkQrlYvE4MpobPoXwCfeKhb+JEJX1l/xL/RbavAOjwf
> mwMAoOAhh/m3cifg3ktXF9oAkpHLLlZB
> =4S5u
> -----END PGP SIGNATURE-----
>
_______________________________________________
Engine-devel mailing list
Engine-devel@ovirt.org
http://lists.ovirt.org/mailman/listinfo/engine-devel
