[DOCS] SELinux & Redhat
I think we should put some notes about SELinux causing issues with pgsql in the OS notes or FAQ. Myself and a few coworkers just spent a few hours tracking down why pg_dump would produce no output. We'd fire it up in strace and we'd see all the successful write calls, but not output. We copied pg_dump from another machine and it worked fine, and that machine was running the same OS & pg rpms. Eventually we found it was SELinux was preventing pg_dump from producing output. Any thoughts? I could write up a short blurb but I'm not terribly familiar with selinux. we just disabled the whole thing to make it work. For the record: CentOS 4.0 postgresql-8.0.2-1PGDG.i686.rpm (and associated) rpms from postgresql.org's ftp server -- Jeff Trout <[EMAIL PROTECTED]> http://www.jefftrout.com/ http://www.stuarthamm.net/ ---(end of broadcast)--- TIP 8: explain analyze is your friend
Re: [DOCS] SELinux & Redhat
Jeff - wrote: > I think we should put some notes about SELinux causing issues with > pgsql in the OS notes or FAQ. > > Myself and a few coworkers just spent a few hours tracking down why > pg_dump would produce no output. We'd fire it up in strace and we'd > see all the successful write calls, but not output. > > We copied pg_dump from another machine and it worked fine, and that > machine was running the same OS & pg rpms. > > Eventually we found it was SELinux was preventing pg_dump from > producing output. > > Any thoughts? I could write up a short blurb but I'm not terribly > familiar with selinux. we just disabled the whole thing to make it work. > > For the record: > CentOS 4.0 > postgresql-8.0.2-1PGDG.i686.rpm (and associated) rpms from > postgresql.org's ftp server A blurb about what? No one else has reported such a problem so we have no reason to assume it isn't a misconfiguration on your end. -- Bruce Momjian| http://candle.pha.pa.us [email protected] | (610) 359-1001 + If your life is a hard drive, | 13 Roberts Road + Christ can be your backup.| Newtown Square, Pennsylvania 19073 ---(end of broadcast)--- TIP 5: Have you checked our extensive FAQ? http://www.postgresql.org/docs/faq
Re: [DOCS] SELinux & Redhat
Am Freitag, 6. Mai 2005 16:55 schrieb Bruce Momjian: > A blurb about what? No one else has reported such a problem so we have > no reason to assume it isn't a misconfiguration on your end. *Countless* people are constantly reporting problems that can be attributed to selinux. We really need to write something about it. Of course, most people, including myself, just solve these issues by turning off selinux, but I'd be interested in a more thorough treatment. -- Peter Eisentraut http://developer.postgresql.org/~petere/ ---(end of broadcast)--- TIP 7: don't forget to increase your free space map settings
Re: [DOCS] SELinux & Redhat
Peter Eisentraut wrote: > Am Freitag, 6. Mai 2005 16:55 schrieb Bruce Momjian: > > A blurb about what? No one else has reported such a problem so we have > > no reason to assume it isn't a misconfiguration on your end. > > *Countless* people are constantly reporting problems that can be attributed > to > selinux. We really need to write something about it. Of course, most > people, including myself, just solve these issues by turning off selinux, but > I'd be interested in a more thorough treatment. Who makes SE Linux? Is it SuSE? What would we say in an FAQ? I would rather report something to people using that OS. -- Bruce Momjian| http://candle.pha.pa.us [email protected] | (610) 359-1001 + If your life is a hard drive, | 13 Roberts Road + Christ can be your backup.| Newtown Square, Pennsylvania 19073 ---(end of broadcast)--- TIP 9: the planner will ignore your desire to choose an index scan if your joining column's datatypes do not match
Re: [DOCS] SELinux & Redhat
Jeff - <[EMAIL PROTECTED]> writes: > Eventually we found it was SELinux was preventing pg_dump from > producing output. That's a new one on me. Why was it doing that --- mislabeling on the pg_dump executable, or what? regards, tom lane ---(end of broadcast)--- TIP 8: explain analyze is your friend
Re: [DOCS] SELinux & Redhat
Peter Eisentraut <[EMAIL PROTECTED]> writes: > Am Freitag, 6. Mai 2005 16:55 schrieb Bruce Momjian: >> A blurb about what? No one else has reported such a problem so we have >> no reason to assume it isn't a misconfiguration on your end. > *Countless* people are constantly reporting problems that can be > attributed to selinux. That's mostly because selinux outright broke postgres in the initial FC3 releases :-(. I have to take most of the blame for this myself; I didn't realize there might be problems, and didn't test adequately. I believe the problems are all resolved in the latest Fedora RPMs, though this pg_dump report may be something new. regards, tom lane ---(end of broadcast)--- TIP 2: you can get off all lists at once with the unregister command (send "unregister YourEmailAddressHere" to [EMAIL PROTECTED])
Re: [DOCS] SELinux & Redhat
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
On Fri, 6 May 2005, Tom Lane wrote:
Jeff - <[EMAIL PROTECTED]> writes:
Eventually we found it was SELinux was preventing pg_dump from
producing output.
That's a new one on me. Why was it doing that --- mislabeling on
the pg_dump executable, or what?
Looking at the strace report that someone has sent me before, there is a
problem with devices:
===
fstat64(1, {st_mode=S_IFCHR|0666, st_rdev=makedev(1, 3), ...}) = 0
ioctl(1, SNDCTL_TMR_TIMEBASE or TCGETS, 0xbfe16a8c) = -1 ENOTTY
(Inappropriate ioctl for device)
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0xb7dee000
write(1, "pg_dump dumps a database as a te"..., 2367) = 2367
munmap(0xb7dee000, 4096)= 0
exit_group(0) = ?
===
This one is from a server with SELinux enabled. My server does not produce
this, and uses virtual console (as expected?). However with SELinux
enabled, it wants to use ramdisk (expected? I think no...)
Regards,
- --
Devrim GUNDUZ
devrim~gunduz.org, devrim~PostgreSQL.org, devrim.gunduz~linux.org.tr
http://www.tdmsoft.com.tr http://www.gunduz.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQFCe45Btl86P3SPfQ4RAhpbAJ0UhBh8dlOEpPsNm2NB1QIJ82X2swCg7JOg
A1OCBrZRHxoOPQo0U9hNdNY=
=ENTC
-END PGP SIGNATURE-
---(end of broadcast)---
TIP 2: you can get off all lists at once with the unregister command
(send "unregister YourEmailAddressHere" to [EMAIL PROTECTED])
Re: [DOCS] SELinux & Redhat
On May 6, 2005, at 11:23 AM, Tom Lane wrote:
Jeff - <[EMAIL PROTECTED]> writes:
Eventually we found it was SELinux was preventing pg_dump from
producing output.
That's a new one on me. Why was it doing that --- mislabeling on
the pg_dump executable, or what?
We've got a stock CentOS 4 install
I nabbed the rpms I mentioned (8.0.2) (-rw-r--r-- 1 root root
2955126 May 4 11:51 postgresql-8.0.2-1PGDG.i686.rpm & company)
from /etc/selinux/targeted/contexts/files/file_contexts I see
file_contexts:/usr/bin/pg_dump --
system_u:object_r:postgresql_exec_t
file_contexts:/usr/bin/pg_dumpall --
system_u:object_r:postgresql_exec_t
Syslog logs:
May 6 09:01:25 starslice kernel: audit(1115384485.559:0): avc:
denied { execute_no_trans } for pid=4485 exe=/bin/bash path=/usr/
bin/pg_dump dev=sda3 ino=5272966
scontext=user_u:system_r:postgresql_t
tcontext=system_u:object_r:postgresql_exec_t tclass=file
SELinux is on and under system-config-securitylevel's selinux tab,
"SELinux Protection services" disable postgresql is not clicked.
When I run pg_dump w/these settings the following happens running
pg_dump (.broken is hte original file from the rpm)
bash-3.00$ /usr/bin/pg_dump.broken planet
bash-3.00$
Stracing it I get
write(1, "file_pkey; Type: CONSTRAINT; Sch"..., 4096) = 4096
write(1, "\n-- Name: userprofile_pkey; Type"..., 4096) = 4096
write(1, "_idx_1 OWNER TO planet;\n\n--\n-- N"..., 4096) = 4096
rt_sigaction(SIGPIPE, {SIG_IGN}, {SIG_DFL}, 8) = 0
send(3, "X\0\0\0\4", 5, 0) = 5
rt_sigaction(SIGPIPE, {SIG_DFL}, {SIG_IGN}, 8) = 0
close(3)= 0
write(1, "me: top3_cmtcount_idx; Type: IND"..., 3992) = 3992
munmap(0xb7df, 4096)= 0
exit_group(0) = ?
and what is interesting is it seems only sometimes things get logged
to syslog about the failure.
If I copy the file (not mv) it will work (possibly due to xattrs
being set?)
and if I disable pg checking, (or selinux all together) it works.
COOL, HUH?
--
Jeff Trout <[EMAIL PROTECTED]>
http://www.jefftrout.com/
http://www.stuarthamm.net/
---(end of broadcast)---
TIP 6: Have you searched our list archives?
http://archives.postgresql.org
Re: [DOCS] SELinux & Redhat
On Fri, May 06, 2005 at 11:21:26AM -0400, Bruce Momjian wrote: > Peter Eisentraut wrote: > > Am Freitag, 6. Mai 2005 16:55 schrieb Bruce Momjian: > > > A blurb about what? No one else has reported such a problem so we have > > > no reason to assume it isn't a misconfiguration on your end. > > > > *Countless* people are constantly reporting problems that can be attributed > > to > > selinux. We really need to write something about it. Of course, most > > people, including myself, just solve these issues by turning off selinux, > > but > > I'd be interested in a more thorough treatment. > > Who makes SE Linux? Is it SuSE? What would we say in an FAQ? I would > rather report something to people using that OS. It's linux-distribution agnostic. Redhat is including it on its distributions, as is Debian. Not sure about the others but that is already a large population. (Of course it's Linux only.) -- Alvaro Herrera (<[EMAIL PROTECTED]>) "Aprende a avergonzarte más ante ti que ante los demás" (Demócrito) ---(end of broadcast)--- TIP 1: subscribe and unsubscribe commands go to [EMAIL PROTECTED]
Re: [DOCS] SELinux & Redhat
Jeff - <[EMAIL PROTECTED]> writes: > When I run pg_dump w/these settings the following happens running > pg_dump (.broken is hte original file from the rpm) > bash-3.00$ /usr/bin/pg_dump.broken planet > bash-3.00$ Does it work if you direct the output into a file, instead of letting it come to your terminal (which seems a bit useless anyway)? I've been bugging dwalsh about the fact that the selinux policy disallows writes to /dev/tty to things it thinks are daemons; that seems pretty stupid. But pg_dump isn't a daemon so there's no reason for it to be restricted this way anyway... > and what is interesting is it seems only sometimes things get logged > to syslog about the failure. Someone told me there's a rate limit on selinux complaints going to syslog, to keep it from swamping your logs. I suspect there are some actual bugs there too, because I've noticed cases where an action was blocked and there wasn't any log message, nor enough activity to justify a rate limit. Feel free to file a bugzilla report if you can get a reproducible case. regards, tom lane ---(end of broadcast)--- TIP 6: Have you searched our list archives? http://archives.postgresql.org
Re: [DOCS] SELinux & Redhat
On May 6, 2005, at 11:57 AM, Tom Lane wrote: bash-3.00$ /usr/bin/pg_dump.broken planet bash-3.00$ Does it work if you direct the output into a file, instead of letting it come to your terminal (which seems a bit useless anyway)? Interesting. Redirecting it worked, but I'm pretty sure at one point it didn't work. (I could also be smoking crack). Hmm.. piping it into another app worked. I only found out about this when another developer here tried to run it and got nothing. in any case, it might be something useful to jot somewhere. -- Jeff Trout <[EMAIL PROTECTED]> http://www.jefftrout.com/ http://www.stuarthamm.net/ ---(end of broadcast)--- TIP 2: you can get off all lists at once with the unregister command (send "unregister YourEmailAddressHere" to [EMAIL PROTECTED])
