CentOS - Mar 2005 - PostgreSQL & SELinux problem

Hi.

I just installed Centos 4.  I''m pretty sure that I chose to have it
install postgresql but when the system came up, it wasn''t there.  No
worries.  I installed it from the net with ''yum''. 
Unfortunately, when I
started it up and it tried to init the database, I got a bunch of
SELinux errors:

Mar  3 13:24:22 dirty kernel: audit(1109874262.006:0): avc:  denied  {
read } for  pid=3138 exe=/usr/bin/postgres path=/tmp/sh-thd-1109856265
(deleted) dev=md2 ino=377572 scontext=root:system_r:postgresql_t
tcontext=root:object_r:tmp_t tclass=file
Mar  3 13:24:22 dirty kernel: audit(1109874262.195:0): avc:  denied  {
read } for  pid=3139 exe=/usr/bin/postgres path=/tmp/sh-thd-1109873603
(deleted) dev=md2 ino=377572 scontext=root:system_r:postgresql_t
tcontext=root:object_r:tmp_t tclass=file
Mar  3 13:24:22 dirty kernel: audit(1109874262.218:0): avc:  denied  {
read } for  pid=3140 exe=/usr/bin/postgres path=/tmp/sh-thd-1109855677
(deleted) dev=md2 ino=377572 scontext=root:system_r:postgresql_t
tcontext=root:object_r:tmp_t tclass=file
Mar  3 13:24:22 dirty kernel: audit(1109874262.250:0): avc:  denied  {
read } for  pid=3141 exe=/usr/bin/postgres path=/tmp/sh-thd-1109872502
(deleted) dev=md2 ino=377572 scontext=root:system_r:postgresql_t
tcontext=root:object_r:tmp_t tclass=file
Mar  3 13:24:25 dirty postgresql: Starting postgresql service:  succeeded

I was able to get it working by doing:

service postgresql stop
rm -rf ~postgres/data
setenforce 0
service postgresql start
setenforce 1

I haven''t tested it very well but it seems to have worked so far.

-Vic

Vic Ricker wrote:
> Hi.
>
> I just installed Centos 4.  I''m pretty sure that I chose to have
it
> install postgresql but when the system came up, it wasn''t there. 
No
> worries.  I installed it from the net with ''yum''. 
Unfortunately, when
> I started it up and it tried to init the database, I got a bunch of
> SELinux errors:
>
> Mar  3 13:24:22 dirty kernel: audit(1109874262.006:0): avc:  denied  {
> read } for  pid=3138 exe=/usr/bin/postgres path=/tmp/sh-thd-1109856265
> (deleted) dev=md2 ino=377572 scontext=root:system_r:postgresql_t
> tcontext=root:object_r:tmp_t tclass=file
> Mar  3 13:24:22 dirty kernel: audit(1109874262.195:0): avc:  denied  {
> read } for  pid=3139 exe=/usr/bin/postgres path=/tmp/sh-thd-1109873603
> (deleted) dev=md2 ino=377572 scontext=root:system_r:postgresql_t
> tcontext=root:object_r:tmp_t tclass=file
> Mar  3 13:24:22 dirty kernel: audit(1109874262.218:0): avc:  denied  {
> read } for  pid=3140 exe=/usr/bin/postgres path=/tmp/sh-thd-1109855677
> (deleted) dev=md2 ino=377572 scontext=root:system_r:postgresql_t
> tcontext=root:object_r:tmp_t tclass=file
> Mar  3 13:24:22 dirty kernel: audit(1109874262.250:0): avc:  denied  {
> read } for  pid=3141 exe=/usr/bin/postgres path=/tmp/sh-thd-1109872502
> (deleted) dev=md2 ino=377572 scontext=root:system_r:postgresql_t
> tcontext=root:object_r:tmp_t tclass=file
> Mar  3 13:24:25 dirty postgresql: Starting postgresql service:  succeeded
Did you do make relabel?

I''m not sure it will work after that. I didn''t get the chance
still to
install CEntOS 4 so I''m talking about previous experience with SELinux.

bye,
Ago

Vic Ricker wrote:
> Hi.
>
> I just installed Centos 4.  I''m pretty sure that I chose to have
it
> install postgresql but when the system came up, it wasn''t there. 
No
> worries.  I installed it from the net with ''yum''. 
Unfortunately, when I
> started it up and it tried to init the database, I got a bunch of
> SELinux errors:
>
[snip]
>
> I was able to get it working by doing:
>
> service postgresql stop
> rm -rf ~postgres/data
> setenforce 0
> service postgresql start
> setenforce 1
>
> I haven''t tested it very well but it seems to have worked so far.
>
> -Vic
Hi Vic.

I was successful in creating databases once I used your instructions.  I
have another issue, however... the "createlang" command fails
silently.
Typing the "createlang" command, in any permutation, results in a
silent
return to the command line.

Would you mind trying createlang and reporting back whether or not you
have any success with it?  Maybe something like:  createlang -l template1

I''d be curious if even  createlang --help produces any output.

Thanks!

Barry

hello,
> instructions.  I have another issue, however... the "createlang"
> command fails silently.
silently? Don''t you get some SELinux errors in the logs? I''m
sure you
should.

bye,
Ago

Deim ?goston wrote:
> hello,
>
>> instructions.  I have another issue, however... the
"createlang"
>> command fails silently.
>
>
> silently? Don''t you get some SELinux errors in the logs?
I''m sure you
> should.
>
> bye,
> Ago

If it''s logging errors then I can''t find where the error is
being
logged.  I checked both /var/log/messaegs and dmesg but neither place
provided me any kind of messages.

Any suggestions where else I may find this?

BK

Deim ?goston wrote:
> Did you do make relabel?
>
> I''m not sure it will work after that. I didn''t get the
chance still to
> install CEntOS 4 so I''m talking about previous experience with
SELinux.
I have to admit, I know almost nothing about SELinux.  :-)  I am just
learning it now.  Redhat has a nice doc at:
http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/index.html
for anyone that''s interested.

I would have thought that the default policy would be set such that the
init script for postgresql could initialize the database.  Has anyone
had any better experience installing it?


Barry L. Kline wrote:
> Would you mind trying createlang and reporting back whether or not you
> have any success with it?  Maybe something like:  createlang -l template1
>
> I''d be curious if even  createlang --help produces any output.
createlang doesn''t seem to work.  I get no output, nothing in
/var/log/messages either.

I will mess around with it and let you know if I find anything.

-Vic

Vic Ricker wrote:
> Deim ?goston wrote:
>
>> Did you do make relabel?
>>
>> I''m not sure it will work after that. I didn''t get
the chance still
>> to install CEntOS 4 so I''m talking about previous experience
with
>> SELinux.
>
>
> I have to admit, I know almost nothing about SELinux.  :-)  I am just
> learning it now.  Redhat has a nice doc at:
>
http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/index.html
> for anyone that''s interested.
>
> I would have thought that the default policy would be set such that
> the init script for postgresql could initialize the database.  Has
> anyone had any better experience installing it?
>
>
Unless you want/need SELinux, there is an option to disable it during
the install.  Try doing that and see if your application "wakes up."

Cheers,


--
Chris Mauritz
chrism@imntv.com
VP & chief Technology Officer
Independent Music Network, Inc.
http://www.imntv.com

Vic Ricker wrote:
  I''d be curious if even  createlang --help produces any
output.
>
>
> createlang doesn''t seem to work.  I get no output, nothing in
> /var/log/messages either.
>
> I will mess around with it and let you know if I find anything.
>
> -Vic
>
>
Well, misery loves company, so I''m glad that I''m not the only
one having
this issue.  I''ll keep working on it and report back if I''m
successful.

BK

Chris Mauritz wrote:
> Vic Ricker wrote:
>
> Unless you want/need SELinux, there is an option to disable it during
> the install.  Try doing that and see if your application "wakes
up."
>
I''m in the "want" group, so that I get some experience
working with it.
  I suspect that I can turn if off even after installation (I''m surely
not going to reinstall all of this to try it otherwise) but I''m not
enthusiastic to try to do it.

Perhaps I''ll try loading it in a VMWare session and see how I make out.

BK

Barry L. Kline wrote:
> Well, misery loves company, so I''m glad that I''m not the
only one
> having this issue.  I''ll keep working on it and report back if
I''m
> successful.
>
As I will have to do a fresh install with SELinux enabled and there will
be postgres among the required packages I will do a test install soon.
I will report back too.
AFAIK every log should go into messages file. And it works on other
machines (Gentoo). Maybe there''s a bug in the installed policy. Or you
have to change roles before create. But rpm should have a special role
which enables the required steps.

bye,
Ago
> BK
> _______________________________________________
> CentOS mailing list
> CentOS@caosity.org
> http://lists.caosity.org/mailman/listinfo/centos
>

Barry L. Kline wrote:
> Chris Mauritz wrote:
>
>> Vic Ricker wrote:
>> Unless you want/need SELinux, there is an option to disable it during
>> the install.  Try doing that and see if your application "wakes
up."
>>
>
> I''m in the "want" group, so that I get some experience
working with
> it.  I suspect that I can turn if off even after installation (I''m
> surely not going to reinstall all of this to try it otherwise) but
I''m
> not enthusiastic to try to do it.
>
> Perhaps I''ll try loading it in a VMWare session and see how I make
out.
>
Careful not to try to install the VMWare tools on any of the RHEL 4
clones if you''re using the Workstation 5 Beta.  It''ll give you
the
"black screen of death".  It''s on their "known
issues" page, and I ran
into it the hard way. :)

Ben

Benjamin J. Weiss wrote:
> Barry L. Kline wrote:
>
> Careful not to try to install the VMWare tools on any of the RHEL 4
> clones if you''re using the Workstation 5 Beta.  It''ll
give you the
> "black screen of death".  It''s on their "known
issues" page, and I ran
> into it the hard way. :)
>
Thanks for the heads-up.  I''ll use VMWare version 4.x then.

Barry