John DeSoi <de...@pgedit.com> writes:
> Foiled again by SELinux permissions:
> type=AVC msg=audit(1367932037.676:10325): avc: denied { search } for
> pid=2567 comm="rsync" name="pgsql" dev=dm-0 ino=664822
> scontext=unconfined_u:system_r:rsync_t:s0
> tcontext=system_u:object_r:postgresql_db_t:s0 tclass=dir
> type=SYSCALL msg=audit(1367932037.676:10325): arch=c000003e syscall=2
> success=no exit=-13 a0=1ebd330 a1=0 a2=e a3=4 items=0 ppid=2433 pid=2567
> auid=0 uid=26 gid=26 euid=26 suid=26 fsuid=26 egid=26 sgid=26 fsgid=26
> tty=(none) ses=57 comm="rsync" exe="/usr/bin/rsync"
> subj=unconfined_u:system_r:rsync_t:s0 key=(null)
> type=AVC msg=audit(1367932037.677:10326): avc: denied { execute } for
> pid=2568 comm="rsync" name="ssh" dev=dm-0 ino=266187
> scontext=unconfined_u:system_r:rsync_t:s0
> tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file
> type=SYSCALL msg=audit(1367932037.677:10326): arch=c000003e syscall=59
> success=no exit=-13 a0=7fff1686fa27 a1=7fff1686fb60 a2=7fff16872d38
> a3=7fff1686f860 items=0 ppid=2567 pid=2568 auid=0 uid=26 gid=26 euid=26
> suid=26 fsuid=26 egid=26 sgid=26 fsgid=26 tty=(none) ses=57 comm="rsync"
> exe="/usr/bin/rsync" subj=unconfined_u:system_r:rsync_t:s0 key=(null)
> I found there is a boolean for postgres and rsync and tried
> setsebool -P postgresql_can_rsync 1
> but replication still failed to work. There must be more required related to
> ssh and/or rsync. Anyone solved this (without just disabling SELinux)?
Short term: use audit2allow to generate custom policy tweaks that
allow these specific operations.
Longer term: file a bug in Red Hat's bugzilla against
selinux-policy-targeted. That boolean should allow this, one would
think, or else there should be another one that does.
regards, tom lane
--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
