----- Original Message ----- > From: "Daniel J Walsh" <dwa...@redhat.com> > To: "Eli Mesika" <emes...@redhat.com> > Cc: "Yair Zaslavsky" <yzasl...@redhat.com>, "Barak Azulay" > <bazu...@redhat.com>, "engine-devel" > <engine-devel@ovirt.org> > Sent: Monday, June 17, 2013 6:51:23 PM > Subject: Re: SELinux problem > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 06/17/2013 08:49 AM, Eli Mesika wrote: > > Hi > > > > I am using SELinux Enforcing mode on Fedora 18 > > (selinux-policy-3.11.1-97.fc18.noarch) > > > > As part as our Postgres DB restore we have to > > > > 1) Open a postgres backup packed as a TAR file 2) Restore the database from > > those files after unpacking with tar xvf. > > > > I have found that I get a Permission Denied when trying to restore the > > database data files. After investigation , I had found that running : > > setenforce 0 the restore completes with no errors. Further investigation > > shows that when I am extracting the TAR file , I have to set the same > > SELinux context as in /var/lib/pgsql/data directory , i.e. > > unconfined_u:object_r:postgresql_db_t:s0 > > > > I had tried to do that with chcon : > > > > chcon -u unconfined_u -r object_r -t postgresql_db_t <file> > > > > This was failed (also when running with root privileges) and audit2why > > --all shows a lot of those errors : > > > > type=AVC msg=audit(1371464569.023:671): avc: denied { relabelto } for > > pid=18144 comm="chcon" name="toc.dat" dev="tmpfs" ino=117639 > > scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > > tcontext=system_u:system_r:postgresql_t:s0 tclass=file Was caused by: > > Missing type enforcement (TE) allow rule. > > > > You can use audit2allow to generate a loadable module to allow this > > access. > > > > > > After goggling around that , I found an article by you: > > > > https://docs.fedoraproject.org/en-US/Fedora/11/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow.html > > > > It says : "Missing Type Enforcement rules are usually caused by bugs in > > SELinux policy, and should be reported in Red Hat Bugzilla. For Fedora, > > create bugs against the Fedora product, and select the selinux-policy > > component. Include the output of the audit2allow -w -a and audit2allow -a > > commands in such bug reports. " > > > > Should I open a BZ on that ? > > > > The TAR I am using is attached. (I am opening it with tar xvf and trying to > > change the context to desired context as explained above) > > > > Thanks > > > > Eli > > > > > > > > > Just untar the files and run restorecon -R on them > > restorecon -R PATH
Thanks for the quick response I had tried it and nothing happen , same results So I had tried with -RVVF flags and got the following restorecon: Warning no default label for /tmp/db/00579652_221211073824_pgdump.tar_dir/3622.dat ( this appears on each file of the extracted files ) So, it seems that the pg_dump did not set the correct SELinux defaults on those file when packaging them , right ? Any workaround to get out of that... Thanks again Eli > > SHould put the default labels on the content. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.13 (GNU/Linux) > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iEYEARECAAYFAlG/MHsACgkQrlYvE4MpobOjNACff0Ugxb2zWZqx+At3orGPS4s7 > CZ0AoNQSRB2QSCrise2m4gFiEO2sbCh1 > =hdyR > -----END PGP SIGNATURE----- > _______________________________________________ Engine-devel mailing list Engine-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/engine-devel