444540 – sec-policy/selinux-postgresql-2.20120725-r8: unable to correctly start (deny in init script)

Bug 444540 - sec-policy/selinux-postgresql-2.20120725-r8: unable to correctly start (deny in init script)

Summary: sec-policy/selinux-postgresql-2.20120725-r8: unable to correctly start (deny ...

Status:	VERIFIED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	SELinux (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Sven Vermeulen (RETIRED)

URL:
Whiteboard:	sec-policy r9
Keywords:

Depends on:
Blocks:

Reported:	2012-11-24 09:56 UTC by Vincent Brillault
Modified:	2013-01-19 21:16 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Vincent Brillault 2012-11-24 09:56:13 UTC

When I updated to dev-db/postgresql-server-9.2.1 I discovered that I wasn't able to start correctly the postgresql server. In fact it starts but openrc still think it fails:

root@lerya ~ # /etc/init.d/postgresql-9.2 start
Authenticating root.
Yubikey for root:
 * Starting PostgreSQL ...
pg_ctl: could not start server
Examine the log output.
 * start-stop-daemon: failed to start `/usr/lib/postgresql-9.2/bin/pg_ctl'
 * Check the log for a possible explanation of the above error.
 *     /var/lib/postgresql/9.2/data/postmaster.log  [ !! ]
 * ERROR: postgresql-9.2 failed to start
----

The postmaster.log is all green but /var/log/avc.log is not:
Nov 24 10:41:52 lerya kernel: [1628900.540506] type=1400 audit(1353750112.021:10143): avc:  denied  { connectto } for  pid=20481 comm="pg_ctl" path="/run/postgresql/.s.PGSQL.5432" ipaddr=... scontext=system_u:system_r:postgresql_t tcontext=system_u:system_r:postgresql_t tclass=unix_stream_socket
Nov 24 10:41:53 lerya kernel: [1628901.541540] type=1400 audit(1353750113.022:10144): avc:  denied  { connectto } for  pid=20481 comm="pg_ctl" path="/run/postgresql/.s.PGSQL.5432" ipaddr=... scontext=system_u:system_r:postgresql_t tcontext=system_u:system_r:postgresql_t tclass=unix_stream_socket
Nov 24 10:41:54 lerya kernel: [1628902.542653] type=1400 audit(1353750114.023:10145): avc:  denied  { connectto } for  pid=20481 comm="pg_ctl" path="/run/postgresql/.s.PGSQL.5432" ipaddr=... scontext=system_u:system_r:postgresql_t tcontext=system_u:system_r:postgresql_t tclass=unix_stream_socket
Nov 24 10:41:55 lerya kernel: [1628903.543523] type=1400 audit(1353750115.024:10146): avc:  denied  { connectto } for  pid=20481 comm="pg_ctl" path="/run/postgresql/.s.PGSQL.5432" ipaddr=... scontext=system_u:system_r:postgresql_t tcontext=system_u:system_r:postgresql_t tclass=unix_stream_socket
Nov 24 10:41:56 lerya kernel: [1628904.544533] type=1400 audit(1353750116.025:10147): avc:  denied  { connectto } for  pid=20481 comm="pg_ctl" path="/run/postgresql/.s.PGSQL.5432" ipaddr=... scontext=system_u:system_r:postgresql_t tcontext=system_u:system_r:postgresql_t tclass=unix_stream_socket
Nov 24 10:41:57 lerya kernel: [1628905.545521] type=1400 audit(1353750117.026:10148): avc:  denied  { connectto } for  pid=20481 comm="pg_ctl" path="/run/postgresql/.s.PGSQL.5432" ipaddr=... scontext=system_u:system_r:postgresql_t tcontext=system_u:system_r:postgresql_t tclass=unix_stream_socket
Nov 24 10:41:58 lerya kernel: [1628906.546530] type=1400 audit(1353750118.027:10149): avc:  denied  { connectto } for  pid=20481 comm="pg_ctl" path="/run/postgresql/.s.PGSQL.5432" ipaddr=... scontext=system_u:system_r:postgresql_t tcontext=system_u:system_r:postgresql_t tclass=unix_stream_socket
Nov 24 10:41:59 lerya kernel: [1628907.547519] type=1400 audit(1353750119.028:10150): avc:  denied  { connectto } for  pid=20481 comm="pg_ctl" path="/run/postgresql/.s.PGSQL.5432" ipaddr=... scontext=system_u:system_r:postgresql_t tcontext=system_u:system_r:postgresql_t tclass=unix_stream_socket
Nov 24 10:42:00 lerya kernel: [1628908.548588] type=1400 audit(1353750120.029:10152): avc:  denied  { connectto } for  pid=20481 comm="pg_ctl" path="/run/postgresql/.s.PGSQL.5432" ipaddr=... scontext=system_u:system_r:postgresql_t tcontext=system_u:system_r:postgresql_t tclass=unix_stream_socket
----

I added the following rule and every thing worked well:
'allow postgresql_t self:unix_stream_socket connectto;'

root@lerya ~ ## /etc/init.d/postgresql-9.2 start
Authenticating root.
Yubikey for root:
 * Starting PostgreSQL ...  [ ok ]

Comment 1 Sven Vermeulen (RETIRED) gentoo-dev

2012-11-25 21:39:24 UTC

thanks, in repo, will be in r9

Comment 2 Sven Vermeulen (RETIRED) gentoo-dev

2012-12-17 18:54:44 UTC

r9 in hardened-dev overlay

Comment 3 Sven Vermeulen (RETIRED) gentoo-dev

2012-12-21 20:52:05 UTC

r9 in main repo, ~arch'ed

Comment 4 Sven Vermeulen (RETIRED) gentoo-dev

2013-01-19 21:16:14 UTC

Forgot to mention... stabilized a while ago ;)