Bug Report: SELinux Problems with Upgrade of Foreman 1.24.2/Katello 3.14.1 to latest Foreman 2.0.0/Katello 3.15.0

ejarman · May 8, 2020, 6:10pm

Ran into a bug when upgrading Foreman 1.24.2 with Katello 3.14.1 to the latest Foreman 2.0.0 with Katello 3.15.0. The upgrade could not complete with SELinux enabled. I disabled SELinux enforcing, and was able to complete the upgrade. Afterwards, I rebooted the server, and the web service could not start, as SELinux blocked access to the PostgreSQL unix socket. Enabling the passenger_can_connect_all sebool allowed Foreman/Katello to work normally again.

tbrisker · May 10, 2020, 9:19am

Can you please provide the denials you see from the audit log?

lzap · May 11, 2020, 6:58am

Passenger is allowed to connect to postgres both locally or via TCP by default:

# Allow Foreman to connect to PostgreSQL
corenet_tcp_connect_postgresql_port(passenger_t)
optional_policy(`
    postgresql_stream_connect(passenger_t)
')

You need to share those denials.

ejarman · May 13, 2020, 9:04pm

Sorry, just getting back to this.

The AVC denials without the passenger_can_connect_all set are as follows:
type=AVC msg=audit(1589403562.352:204): avc: denied { connectto } for pid=2018 comm=“ruby” path="/run/postgresql/.s.PGSQL.5432" scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket permissive=0

lzap · May 14, 2020, 9:18am

Thanks, could easily be a @packaging issue. Looks like postgresql UNIX stream socket is mislabelled:

#!!!! The file '/run/postgresql/.s.PGSQL.5432' is mislabeled on your system.  
#!!!! Fix with $ restorecon -R -v /run/postgresql/.s.PGSQL.5432
allow passenger_t initrc_t:unix_stream_socket connectto;

Can you run restorecon -Rvn /run/postgresql /var/run/postgresql please? This is a dry run, this will not do anything yet.

Dirk · May 14, 2020, 10:04am

I am wondering in which context the postgresql daemon is running as it should create files under var_run_t with postgresql_var_run_t. initrc_t sounds like it has not transitioned to the daemons domain postgresql_t.

So can you also verify if the postgresql daemon is running correctly (ps -efZ | grep postgresql_t should show the daemon if running correctly) and if not the daemon’s binary is labeled with postgresql_exec_t (`ls -lZ /opt/rh/rh-postgresql12/root/bin/postgres)?

ejarman · May 14, 2020, 3:26pm

Outputs of the above commands:

[ ~]$ ps -efZ | grep postgresql_t
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 ejarman+ 4313 3722 0 10:23 pts/0 00:00:00 grep --color=auto postgresql_t
[ ~]$ ls -lZ /opt/rh/rh-postgresql12/root/bin/postgres
-rwxr-xr-x. root root system_u:object_r:postgresql_exec_t:s0 /opt/rh/rh-postgresql12/root/bin/postgres

[ ~]$ restorecon -Rvn /run/postgresql /var/run/postgresql
[ ~]$ ls -laZ /run/postgresql/
drwxr-xr-x. postgres postgres system_u:object_r:postgresql_var_run_t:s0 .
drwxr-xr-x. root root system_u:object_r:var_run_t:s0 …
srwxrwxrwx. postgres postgres system_u:object_r:postgresql_var_run_t:s0 .s.PGSQL.5432
-rw-------. postgres postgres system_u:object_r:postgresql_var_run_t:s0 .s.PGSQL.5432.lock
[ ~]$ ls -laZ /var/run/postgresql
drwxr-xr-x. postgres postgres system_u:object_r:postgresql_var_run_t:s0 .
drwxr-xr-x. root root system_u:object_r:var_run_t:s0 …
srwxrwxrwx. postgres postgres system_u:object_r:postgresql_var_run_t:s0 .s.PGSQL.5432
-rw-------. postgres postgres system_u:object_r:postgresql_var_run_t:s0 .s.PGSQL.5432.lock

[ ~]$ ps -efZ | grep postmaster
system_u:system_r:initrc_t:s0 postgres 1316 1 0 May13 ? 00:00:05 postmaster -D /var/opt/rh/rh-postgresql12/lib/pgsql/data

Dirk · May 14, 2020, 3:35pm

So the output of the ps and ls command indicate that postgres is correctly setup to transition into its domain but is not running in it at the moment.

Was it perhaps started manually not using systemd? Or via a wrapper script which could be mislabeled? I am not sure how it got into this state, but it is at least not normal.

Are you able to restart the postgresql daemon at the moment? If yes, does it run in its domain after a restart via systemctl?

ejarman · May 14, 2020, 10:22pm

The database was started via systemd. It gets the wrong security label both at reboot, and when reloading with sudo systemctl restart postgresql.

[ ~]$ sudo systemctl stop postgresql
[ ~]$ systemctl status postgresql
● postgresql.service - PostgreSQL database server
Loaded: loaded (/etc/systemd/system/postgresql.service; enabled; vendor preset: disabled)
Active: inactive (dead) since Thu 2020-05-14 17:18:45 CDT; 4s ago
Process: 1316 ExecStart=/bin/sh -c source scl_source enable rh-postgresql12 ; exec postmaster -D ${PGDATA} (code=exited, status=0/SUCCESS)
Process: 1258 ExecStartPre=/opt/rh/rh-postgresql12/root/usr/libexec/postgresql-check-db-dir %N (code=exited, status=0/SUCCESS)
Main PID: 1316 (code=exited, status=0/SUCCESS)
[ ~]$ sudo systemctl start postgresql
[ ~]$ ps -efZ | grep postmaster
system_u:system_r:initrc_t:s0 postgres 9167 1 1 17:18 ? 00:00:00 postmaster -D /var/opt/rh/rh-postgresql12/lib/pgsql/data
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 ejarman+ 9192 9004 0 17:19 pts/0 00:00:00 grep --color=auto postmaster

Please note: this system was upgraded to CentOS 7.8 before upgrading Foreman/Katello. It was initially built last year with Foreman 1.22 and Katello 3.13, and has been upgraded through versions since then.

Dirk · May 15, 2020, 6:55am

I am running a bit out of ideas as everything seems correct except it does not transition.

I tested on my own system and it works as expected with and without sudo.

So the last thing we did not verify was the context of /etc/systemd/system/postgresql.service which should be systemd_unit_file_t.

You could also verify context of all files of a package with fixfiles, so for package in $(rpm -qa | grep postgres); do fixfiles -R $package check; done for all postgres packages. To change the label after checking you can run it again with restore instead of check.

lzap · May 15, 2020, 9:02am

We use PostgreSQL from RH SCL, SELinux handles SCLs automatically. It works fine for me:

[root@foreman ~]# ps axuZ | grep postgres
system_u:system_r:postgresql_t:s0 postgres 982  0.0  0.4 834256 52148 ?        Ss   10:48   0:00 postmaster -D /var/opt/rh/rh-postgresql12/lib/pgsql/data
system_u:system_r:postgresql_t:s0 postgres 1458 0.0  0.0 251804  2060 ?        Ss   10:48   0:00 postgres: logger   
system_u:system_r:postgresql_t:s0 postgres 1830 0.0  0.0 834528  8092 ?        Ss   10:48   0:00 postgres: checkpointer   
system_u:system_r:postgresql_t:s0 postgres 1831 0.0  0.0 834392  6784 ?        Ss   10:48   0:00 postgres: background writer   
system_u:system_r:postgresql_t:s0 postgres 1832 0.0  0.1 834256 18664 ?        Ss   10:48   0:00 postgres: walwriter   
system_u:system_r:postgresql_t:s0 postgres 1834 0.0  0.0 835212  3340 ?        Ss   10:48   0:00 postgres: autovacuum launcher   
system_u:system_r:postgresql_t:s0 postgres 1835 0.0  0.0 252212  2424 ?        Ss   10:48   0:00 postgres: stats collector   
system_u:system_r:postgresql_t:s0 postgres 1836 0.0  0.0 835100  2804 ?        Ss   10:48   0:00 postgres: logical replication launcher   
system_u:system_r:postgresql_t:s0 postgres 9083 0.0  0.0 836752 11324 ?        Ss   10:50   0:00 postgres: foreman foreman [local] idle
system_u:system_r:postgresql_t:s0 postgres 9084 0.0  0.0 836752 11320 ?        Ss   10:50   0:00 postgres: foreman foreman [local] idle
system_u:system_r:postgresql_t:s0 postgres 9090 0.0  0.0 836580  9884 ?        Ss   10:50   0:00 postgres: foreman foreman [local] idle
system_u:system_r:postgresql_t:s0 postgres 9092 0.0  0.0 835472  4928 ?        Ss   10:50   0:00 postgres: foreman foreman [local] idle
system_u:system_r:postgresql_t:s0 postgres 9094 0.0  0.0 836584  8916 ?        Ss   10:50   0:00 postgres: foreman foreman [local] idle
system_u:system_r:postgresql_t:s0 postgres 9105 0.0  0.0 836488 10192 ?        Ss   10:50   0:00 postgres: foreman foreman [local] idle
system_u:system_r:postgresql_t:s0 postgres 9109 0.0  0.0 835472  4928 ?        Ss   10:50   0:00 postgres: foreman foreman [local] idle
system_u:system_r:postgresql_t:s0 postgres 9144 0.0  0.0 835604  6776 ?        Ss   10:50   0:00 postgres: foreman foreman [local] idle
system_u:system_r:postgresql_t:s0 postgres 9148 0.0  0.0 836384  8124 ?        Ss   10:50   0:00 postgres: foreman foreman [local] idle
system_u:system_r:postgresql_t:s0 postgres 9149 0.0  0.0 835860  8080 ?        Ss   10:50   0:00 postgres: foreman foreman [local] idle
system_u:system_r:postgresql_t:s0 postgres 9170 0.0  0.0 836368  8804 ?        Ss   10:50   0:00 postgres: foreman foreman [local] idle
system_u:system_r:postgresql_t:s0 postgres 9173 0.0  0.0 836368  8528 ?        Ss   10:50   0:00 postgres: foreman foreman [local] idle
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 9467 0.0  0.0 112816 968 pts/0 S+ 10:58   0:00 grep --color=auto postgres

[root@foreman ~]# semanage fcontext -l | grep /rh/
/var/opt/rh/rh-nginx18/log(/.*)?                   all files          system_u:object_r:httpd_log_t:s0 
/var/opt/rh/rh-redis32/redis(/.*)?                 regular file       system_u:object_r:redis_exec_t:s0 
/etc/opt/rh/rh-nginx18/nginx(/.*)?                 all files          system_u:object_r:httpd_config_t:s0 
/var/opt/rh/rh-nginx18/lib/nginx(/.*)?             all files          system_u:object_r:httpd_var_lib_t:s0 
/var/opt/rh/rh-nginx18/run/nginx(/.*)?             all files          system_u:object_r:httpd_var_run_t:s0 
/opt/rh/rh-redis5/root = /
/var/opt/rh/rh-postgresql12 = /var
/etc/opt/rh/rh-postgresql12 = /etc
/etc/opt/rh/rh-redis5 = /etc
/var/opt/rh/rh-redis5 = /var
/opt/rh/rh-postgresql12/root = /

Can you paste (and format properly) output of the semanage fcontext -l | grep /rh/?

Have you ever played with SELinux (e.g. disabling it for a moment) on this deployment?

I suggest to run full restorecon: restorecon -FvvR / and reboot the instance or even better touch /.autorelabel with reboot.

ejarman · May 15, 2020, 7:58pm

Dirk,
The contect of /etc/systemd/system/postgresql.service is correct at systemd_unit_file_t .

The fixfiles check command flagged a few log files, and gave this error several times:
/sbin/restorecon: Warning no default label for /opt/rh/rh-postgresql12/root/proc

I am running the fixfiles … restore command now. I’ll reboot again, then check the rest of the file contexts as in the next message from Izap

ejarman · May 15, 2020, 8:48pm

[ ~]$ sudo semanage fcontext -l | grep /rh/
/var/opt/rh/rh-nginx18/log(/.*)?                   all files          system_u:object_r:httpd_log_t:s0
/var/opt/rh/rh-redis32/redis(/.*)?                 regular file       system_u:object_r:redis_exec_t:s0
/etc/opt/rh/rh-nginx18/nginx(/.*)?                 all files          system_u:object_r:httpd_config_t:s0
/var/opt/rh/rh-nginx18/lib/nginx(/.*)?             all files          system_u:object_r:httpd_var_lib_t:s0
/var/opt/rh/rh-nginx18/run/nginx(/.*)?             all files          system_u:object_r:httpd_var_run_t:s0
/etc/opt/rh/rh-redis5 = /etc
/var/opt/rh/rh-mongodb34 = /var
/opt/rh/rh-redis5/root = /
/opt/rh/rh-mongodb34/root = /
/etc/opt/rh/rh-mongodb34 = /etc
/etc/opt/rh/rh-postgresql12 = /etc
/var/opt/rh/rh-redis5 = /var
/var/opt/rh/rh-postgresql12 = /var
/opt/rh/rh-postgresql12/root = /
[ ~]$

I’m running a full restorecon with restorecon -FvvR / now, and have touched /.autorelabel to hit the root on boot.
The filesystems are very split out on this system, with all of the following configured as separate:

/
/boot
/home
/opt
/srv
/tmp
/var
/var/lib
/var/lib/pulp (nfs)
/var/www

ejarman · May 15, 2020, 8:54pm

Even after all the relabeling and rebooting, the postmaster process is still getting the wrong label on start.

[ ~]$ ps -efZ | grep postmaster
system_u:system_r:initrc_t:s0   postgres  1347     1  0 15:51 ?        00:00:00 postmaster -D /var/opt/rh/rh-postgresql12/lib/pgsql/data

ejarman · May 15, 2020, 9:21pm

Izap,
Forgot to specify, but mentioned it above,
The system works perfectly when either SELinux enforcing is disabled, or when setting setsebool -p passenger_can_connect_all=1.

This system is a DEV system that was taken out of active service a couple months ago when I kept getting mongod OOM crashes every time it ran a repo sync. The OEL repositories were particularly bad about that.

lzap · May 19, 2020, 10:18am

At this point, you need to investigate why postgres is not starting in its domain. It does on our default install, you appear to have everything set correctly.

Do you have the policy enabled? semanage module -l | grep post

Check the file label of postmaster binary, it should have been something like postgres_exec_t or similar. That allows transition into the target domain.

ejarman · May 19, 2020, 3:06pm

The policy appears to be enabled.

[ ~]$ sudo semanage module -l | grep post
postfix                   100       pp
postgresql                100       pp
postgrey                  100       pp
[ ~]$

The label is correct on the actual postgres binary, but is not on the symlink.

[ ~]$ ls -lZ /usr/bin/postmaster
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/bin/postmaster
[ ~]$ ls -lZ /opt/rh/rh-postgresql12/root/usr/bin/postmaster
lrwxrwxrwx. root root system_u:object_r:bin_t:s0       /opt/rh/rh-postgresql12/root/usr/bin/postmaster -> postgres
[ ~]$ ls -lZ /opt/rh/rh-postgresql12/root/usr/bin/postgres
-rwxr-xr-x. root root system_u:object_r:postgresql_exec_t:s0 /opt/rh/rh-postgresql12/root/usr/bin/postgres

I don’t see any references to a context for the symlinks when listing all file contexts for postgres.

[ ~]$ sudo semanage fcontext -l | grep postgre
/usr/bin/(se)?postgres                             regular file       system_u:object_r:postgresql_exec_t:s0
/etc/postgrey(/.*)?                                all files          system_u:object_r:postgrey_etc_t:s0
/var/lib/pgsql(/.*)?                               all files          system_u:object_r:postgresql_db_t:s0
/etc/postgresql(/.*)?                              all files          system_u:object_r:postgresql_etc_t:s0
/var/lib/pgsql/.*\.log                             all files          system_u:object_r:postgresql_log_t:s0
/usr/bin/initdb(\.sepgsql)?                        regular file       system_u:object_r:postgresql_exec_t:s0
/var/lib/sepgsql(/.*)?                             all files          system_u:object_r:postgresql_db_t:s0
/var/lib/postgrey(/.*)?                            all files          system_u:object_r:postgrey_var_lib_t:s0
/var/run/postgrey(/.*)?                            all files          system_u:object_r:postgrey_var_run_t:s0
/var/lib/postgres(ql)?(/.*)?                       all files          system_u:object_r:postgresql_db_t:s0
/etc/rc\.d/init\.d/(se)?postgresql                 regular file       system_u:object_r:postgresql_initrc_exec_t:s0
/var/log/rhdb/rhdb(/.*)?                           all files          system_u:object_r:postgresql_log_t:s0
/var/log/postgresql(/.*)?                          all files          system_u:object_r:postgresql_log_t:s0
/var/run/postgresql(/.*)?                          all files          system_u:object_r:postgresql_var_run_t:s0
/etc/sysconfig/pgsql(/.*)?                         all files          system_u:object_r:postgresql_etc_t:s0
/var/log/postgres\.log.*                           regular file       system_u:object_r:postgresql_log_t:s0
/usr/share/jonas/pgsql(/.*)?                       all files          system_u:object_r:postgresql_db_t:s0
/var/lib/pgsql/logfile(/.*)?                       all files          system_u:object_r:postgresql_log_t:s0
/usr/lib/postgresql/bin/.*                         regular file       system_u:object_r:postgresql_exec_t:s0
/var/log/sepostgresql\.log.*                       regular file       system_u:object_r:postgresql_log_t:s0
/var/lib/pgsql/data/pg_log(/.*)?                   all files          system_u:object_r:postgresql_log_t:s0
/usr/lib/pgsql/test/regress(/.*)?                  all files          system_u:object_r:postgresql_db_t:s0
/var/spool/postfix/postgrey(/.*)?                  all files          system_u:object_r:postgrey_spool_t:s0
/usr/share/munin/plugins/postgres_.*               regular file       system_u:object_r:services_munin_plugin_exec_t:s0
/usr/bin/pg_ctl                                    regular file       system_u:object_r:postgresql_exec_t:s0
/usr/sbin/postgrey                                 regular file       system_u:object_r:postgrey_exec_t:s0
/var/run/postgrey\.pid                             regular file       system_u:object_r:postgrey_var_run_t:s0
/etc/rc\.d/init\.d/postgrey                        regular file       system_u:object_r:postgrey_initrc_exec_t:s0
/usr/libexec/postgresql-ctl                        regular file       system_u:object_r:postgresql_exec_t:s0
/var/lib/sepgsql/pgstartup\.log                    regular file       system_u:object_r:postgresql_log_t:s0
/usr/bin/postgresql-check-db-dir                   regular file       system_u:object_r:postgresql_exec_t:s0
/usr/lib/pgsql/test/regress/pg_regress             regular file       system_u:object_r:postgresql_exec_t:s0
/usr/libexec/postgresql-ctl                        all files          system_u:object_r:postgresql_exec_t:s0
/etc/opt/rh/rh-postgresql12 = /etc
/usr/lib/systemd/system/rh-postgresql12-postgresql.service = /usr/lib/systemd/system/postgresql.service
/var/opt/rh/rh-postgresql12 = /var
/opt/rh/rh-postgresql12/root = /
[ ~]$

lzap · May 20, 2020, 8:58am

SCL is actually built-in SELinux, it has this mapping so automatically labels files correctly.

Well, I can confirm everything is same on my setup and postgres goes into the proper domain. Please reach out to SELinux team to find out what’s wrong. My SELinux knowledge is limited here.

ejarman · May 20, 2020, 5:21pm

I have definitely confirmed that the passenger contexts and rules are correct. Still working on what is wrong with the domain for rh-postgresql12

 ~]$ sudo sesearch --all | grep passenger_t | grep postgre
   allow passenger_t postgresql_tmp_t : dir { getattr search open } ;
   allow passenger_t postgresql_var_run_t : sock_file { write getattr append open } ;
   allow passenger_t postgresql_port_t : tcp_socket name_connect ;
   allow passenger_t postgresql_tmp_t : sock_file { write getattr append open } ;
   allow passenger_t postgresql_var_run_t : dir { getattr search open } ;
   allow passenger_t postgresql_t : unix_stream_socket connectto ;

ejarman · May 20, 2020, 5:27pm

There is no relabel rule allowing the switch to postgresql_exec_t though.
Looking for any missing or wrong versions of packages from the scl.

 ~]$ sudo sesearch --all | grep postgresql | grep relabel
   allow sysadm_t postgresql_etc_t : sock_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ;
   allow sysadm_t postgresql_var_run_t : sock_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ;
   allow dbadm_t postgresql_etc_t : lnk_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename } ;
   allow postgresql_t sepgsql_database_type : db_database { create drop getattr setattr relabelfrom relabelto access install_module load_module get_param set_param }   ;
   allow dbadm_t postgresql_var_run_t : dir { ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename add_name remove_name reparent sear  ch rmdir open } ;
   allow dbadm_t postgresql_db_t : sock_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ;
   allow dbadm_t postgresql_tmp_t : lnk_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename } ;
   allow sysadm_t postgresql_log_t : file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ;
   allow postgresql_t sepgsql_table_type : db_tuple { relabelfrom relabelto use select update insert delete } ;
   allow sysadm_t postgresql_etc_t : fifo_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ;
   allow sysadm_t postgresql_db_t : lnk_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename } ;
   allow sysadm_t postgresql_etc_t : file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ;
   allow sysadm_t postgresql_tmp_t : file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ;
   allow sysadm_t postgresql_log_t : lnk_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename } ;
   allow dbadm_t postgresql_log_t : file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ;
   allow postgresql_t sepgsql_table_type : db_table { create drop getattr setattr relabelfrom relabelto select update insert delete lock } ;
   allow postgresql_t sepgsql_view_type : db_view { create drop getattr setattr relabelfrom relabelto expand } ;
   allow sysadm_t postgresql_log_t : sock_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ;
   allow dbadm_t postgresql_log_t : lnk_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename } ;
   allow dbadm_t postgresql_tmp_t : sock_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ;
   allow postgresql_t sepgsql_schema_type : db_schema { create drop getattr setattr relabelfrom relabelto search add_name remove_name } ;
   allow sysadm_t postgresql_var_run_t : fifo_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ;
   allow dbadm_t postgresql_var_run_t : fifo_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ;
   allow dbadm_t postgresql_log_t : dir { ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename add_name remove_name reparent search r  mdir open } ;
   allow sysadm_t postgresql_tmp_t : dir { ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename add_name remove_name reparent search   rmdir open } ;
   allow dbadm_t postgresql_tmp_t : dir { ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename add_name remove_name reparent search r  mdir open } ;
   allow dbadm_t postgresql_log_t : fifo_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ;
   allow dbadm_t postgresql_db_t : lnk_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename } ;
   allow dbadm_t postgresql_etc_t : dir { ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename add_name remove_name reparent search r  mdir open } ;
   allow postgresql_t sepgsql_procedure_type : db_procedure { create drop getattr setattr relabelfrom relabelto execute entrypoint install } ;
   allow sysadm_t postgresql_log_t : dir { ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename add_name remove_name reparent search   rmdir open } ;
   allow dbadm_t postgresql_tmp_t : file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ;
   allow dbadm_t postgresql_etc_t : sock_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ;
   allow dbadm_t postgresql_etc_t : fifo_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ;
   allow sysadm_t postgresql_tmp_t : lnk_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename } ;
   allow dbadm_t postgresql_var_run_t : file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ;
   allow postgresql_t sepgsql_sequence_type : db_sequence { create drop getattr setattr relabelfrom relabelto get_value next_value set_value } ;
   allow postgresql_t sepgsql_table_type : db_column { create drop getattr setattr relabelfrom relabelto select update insert } ;
   allow sysadm_t postgresql_etc_t : lnk_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename } ;
   allow dbadm_t postgresql_tmp_t : fifo_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ;
   allow dbadm_t postgresql_var_run_t : sock_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ;
   allow dbadm_t postgresql_var_run_t : lnk_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename } ;
   allow sysadm_t postgresql_etc_t : dir { ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename add_name remove_name reparent search   rmdir open } ;
   allow sysadm_t postgresql_db_t : dir { ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename add_name remove_name reparent search r  mdir open } ;
   allow dbadm_t postgresql_db_t : file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ;
   allow dbadm_t postgresql_log_t : sock_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ;
   allow sysadm_t postgresql_db_t : fifo_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ;
   allow sysadm_t postgresql_var_run_t : lnk_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename } ;
   allow sysadm_t postgresql_var_run_t : file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ;
   allow postgresql_t security_t : security { compute_av compute_create check_context compute_relabel } ;
   allow dbadm_t postgresql_db_t : dir { ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename add_name remove_name reparent search rm  dir open } ;
   allow sysadm_t postgresql_db_t : sock_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ;
   allow postgresql_t sepgsql_temp_object_t : db_schema { create drop getattr setattr relabelfrom relabelto search add_name remove_name } ;
   allow sysadm_t postgresql_tmp_t : sock_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ;
   allow sysadm_t postgresql_log_t : fifo_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ;
   allow sysadm_t postgresql_tmp_t : fifo_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ;
   allow postgresql_t sepgsql_blob_type : db_blob { create drop getattr setattr relabelfrom relabelto read write import export } ;
   allow sysadm_t postgresql_var_run_t : dir { ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename add_name remove_name reparent sea  rch rmdir open } ;
   allow dbadm_t postgresql_db_t : fifo_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ;
   allow sysadm_t postgresql_db_t : file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ;
   allow dbadm_t postgresql_etc_t : file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ;