Re: [GENERAL] SELinux problem rsync'ing WAL logs
Dear Tom, Thanks for your reply and insight! I much appreciate it. I certainly look forward to getting off FC6! In the meantime, I did get it to work - I remembered SELinux protects /home directories especially. So I moved postgres user's home directory from /home/postgres to /data/postgres, and the WAL rsync works now under SELinux. Thanks again! Very helpful! Best, -at -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
[GENERAL] SELinux problem rsync'ing WAL logs
Ok, this is not strictly a PostgreSQL issue, but I am trying to enable WAL log shipping on our PostgreSQL 8.1.10 (upgrade to 8.3.7 is in the works). My archive_command is 'rsync %p postg...@node2:/file/to/$f /dev/null' This works fine only if and only if SE Linux is disabled on node 1 (the source node). I am running Fedora Core 6 on node 1. (Upgrade to CentOS 5.2 is in the works.) I used audit2allow on the SELinux messages, and generated an SE Linux module to allow Postgres to rsync the files out... allow postgresql_t ssh_exec_t:file { read execute execute_no_trans }; allow postgresql_t ssh_port_t:tcp_socket name_connect; allow postgresql_t user_home_t:dir { search getattr }; allow postgresql_t user_home_t:file { read getattr }; But this still does now work. (Works fine if I disable SELinux, by the way.) The error I get is: LOG: archive command /usr/local/bin/rsync -e /usr/bin/ssh pg_xlog/0001001D0015 postg...@node2:WAL/0001001D0015 /dev/null failed: return code 65280 Could not create directory '/home/postgres/.ssh'. Host key verification failed. rsync: connection unexpectedly closed (0 bytes received so far) [sender] rsync error: unexplained error (code 255) at io.c(632) [sender=3.0.4] If anybody has any clue as to whats going on here, I would sure appreciate your help. ssh node2 works fine from node1, I log in using key-based authentication What stumps me is there are no further complaints from SELinux, but clearly SELinux is blocking the connection. I think I'll ask on the SELinux list as well. But if anybody here has a clue, please give me a shout. Best, -at -- Aleksey Tsalolikhin UNIX System Administrator I get stuff done! http://www.verticalsysadmin.com/ LinkedIn - http://www.linkedin.com/in/atsaloli -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
Re: [GENERAL] SELinux problem rsync'ing WAL logs
On Tue, Mar 31, 2009 at 9:18 PM, Aleksey Tsalolikhin atsaloli.t...@gmail.com wrote: Could not create directory '/home/postgres/.ssh'. Host key verification failed. Have you tested ssh node2 as the postgres user with SELinux enabled? This looks like ssh failing to access the .ssh directory where it keeps host keys (the known_keys file) and dying as a result. None of the SELinux module setup lines seem to cover that, so you may want to see if there's an SELinux failure for ssh in the audit log that could give you a clue as to what needs to be allowed. -- - David T. Wilson david.t.wil...@gmail.com -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
Re: [GENERAL] SELinux problem rsync'ing WAL logs
On Tue, Mar 31, 2009 at 6:35 PM, David Wilson david.t.wil...@gmail.com wrote: On Tue, Mar 31, 2009 at 9:18 PM, Aleksey Tsalolikhin atsaloli.t...@gmail.com wrote: Could not create directory '/home/postgres/.ssh'. Host key verification failed. Have you tested ssh node2 as the postgres user with SELinux enabled? Yes, I have, it works fine. With SELinux enabled. That's why I've been tearing my hair out. There must be a different SELinux behavior when the postgres database server tries to do it. Thanks for your reply! -- Aleksey Tsalolikhin UNIX System Administrator I get stuff done! http://www.verticalsysadmin.com/ LinkedIn - http://www.linkedin.com/in/atsaloli -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
Re: [GENERAL] SELinux problem rsync'ing WAL logs
Aleksey Tsalolikhin atsaloli.t...@gmail.com writes: On Tue, Mar 31, 2009 at 6:35 PM, David Wilson david.t.wil...@gmail.com wrote: Have you tested ssh node2 as the postgres user with SELinux enabled? Yes, I have, it works fine. With SELinux enabled. That's why I've been tearing my hair out. Ah, well, you need to understand one of the first points about SELinux: the standard policy is designed to constrain daemon processes, not interactive processes. So you can run some command when logged in as postgres, and whether that works has nothing whatever to do with whether SELinux will let the postgres daemon do it. I am running Fedora Core 6 on node 1. (Upgrade to CentOS 5.2 is in the works.) Yes, I'd suggest getting off FC6 soon. In my experience the SELinux policy didn't start to just work until around FC8. In particular I recall that FC6 had a bad habit of trying to rate-limit AVC messages to the point where you could not figure out whether (much less why) it was denying any particular thing you tried. My advice is don't even bother trying to debug this on FC6. Get onto a newer platform with a less buggy SELinux implementation, or just turn off SELinux. regards, tom lane -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general