Ran into a bug when upgrading Foreman 1.24.2 with Katello 3.14.1 to the latest Foreman 2.0.0 with Katello 3.15.0. The upgrade could not complete with SELinux enabled. I disabled SELinux enforcing, and was able to complete the upgrade. Afterwards, I rebooted the server, and the web service could not start, as SELinux blocked access to the PostgreSQL unix socket. Enabling the passenger_can_connect_all sebool allowed Foreman/Katello to work normally again.
Can you please provide the denials you see from the audit log?
Passenger is allowed to connect to postgres both locally or via TCP by default:
# Allow Foreman to connect to PostgreSQL
corenet_tcp_connect_postgresql_port(passenger_t)
optional_policy(`
postgresql_stream_connect(passenger_t)
')
You need to share those denials.
Sorry, just getting back to this.
The AVC denials without the passenger_can_connect_all set are as follows:
type=AVC msg=audit(1589403562.352:204): avc: denied { connectto } for pid=2018 comm=“ruby” path="/run/postgresql/.s.PGSQL.5432" scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket permissive=0
Thanks, could easily be a @packaging issue. Looks like postgresql UNIX stream socket is mislabelled:
#!!!! The file '/run/postgresql/.s.PGSQL.5432' is mislabeled on your system.
#!!!! Fix with $ restorecon -R -v /run/postgresql/.s.PGSQL.5432
allow passenger_t initrc_t:unix_stream_socket connectto;
Can you run restorecon -Rvn /run/postgresql /var/run/postgresql
please? This is a dry run, this will not do anything yet.
I am wondering in which context the postgresql daemon is running as it should create files under var_run_t
with postgresql_var_run_t
. initrc_t
sounds like it has not transitioned to the daemons domain postgresql_t
.
So can you also verify if the postgresql daemon is running correctly (ps -efZ | grep postgresql_t
should show the daemon if running correctly) and if not the daemon’s binary is labeled with postgresql_exec_t
(`ls -lZ /opt/rh/rh-postgresql12/root/bin/postgres)?
Outputs of the above commands:
[ ~]$ ps -efZ | grep postgresql_t
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 ejarman+ 4313 3722 0 10:23 pts/0 00:00:00 grep --color=auto postgresql_t
[ ~]$ ls -lZ /opt/rh/rh-postgresql12/root/bin/postgres
-rwxr-xr-x. root root system_u:object_r:postgresql_exec_t:s0 /opt/rh/rh-postgresql12/root/bin/postgres
[ ~]$ restorecon -Rvn /run/postgresql /var/run/postgresql
[ ~]$ ls -laZ /run/postgresql/
drwxr-xr-x. postgres postgres system_u:object_r:postgresql_var_run_t:s0 .
drwxr-xr-x. root root system_u:object_r:var_run_t:s0 …
srwxrwxrwx. postgres postgres system_u:object_r:postgresql_var_run_t:s0 .s.PGSQL.5432
-rw-------. postgres postgres system_u:object_r:postgresql_var_run_t:s0 .s.PGSQL.5432.lock
[ ~]$ ls -laZ /var/run/postgresql
drwxr-xr-x. postgres postgres system_u:object_r:postgresql_var_run_t:s0 .
drwxr-xr-x. root root system_u:object_r:var_run_t:s0 …
srwxrwxrwx. postgres postgres system_u:object_r:postgresql_var_run_t:s0 .s.PGSQL.5432
-rw-------. postgres postgres system_u:object_r:postgresql_var_run_t:s0 .s.PGSQL.5432.lock
[ ~]$ ps -efZ | grep postmaster
system_u:system_r:initrc_t:s0 postgres 1316 1 0 May13 ? 00:00:05 postmaster -D /var/opt/rh/rh-postgresql12/lib/pgsql/data
So the output of the ps
and ls
command indicate that postgres is correctly setup to transition into its domain but is not running in it at the moment.
Was it perhaps started manually not using systemd? Or via a wrapper script which could be mislabeled? I am not sure how it got into this state, but it is at least not normal.
Are you able to restart the postgresql daemon at the moment? If yes, does it run in its domain after a restart via systemctl
?
The database was started via systemd. It gets the wrong security label both at reboot, and when reloading with sudo systemctl restart postgresql
.
[ ~]$ sudo systemctl stop postgresql
[ ~]$ systemctl status postgresql
â—Ź postgresql.service - PostgreSQL database server
Loaded: loaded (/etc/systemd/system/postgresql.service; enabled; vendor preset: disabled)
Active: inactive (dead) since Thu 2020-05-14 17:18:45 CDT; 4s ago
Process: 1316 ExecStart=/bin/sh -c source scl_source enable rh-postgresql12 ; exec postmaster -D ${PGDATA} (code=exited, status=0/SUCCESS)
Process: 1258 ExecStartPre=/opt/rh/rh-postgresql12/root/usr/libexec/postgresql-check-db-dir %N (code=exited, status=0/SUCCESS)
Main PID: 1316 (code=exited, status=0/SUCCESS)
[ ~]$ sudo systemctl start postgresql
[ ~]$ ps -efZ | grep postmaster
system_u:system_r:initrc_t:s0 postgres 9167 1 1 17:18 ? 00:00:00 postmaster -D /var/opt/rh/rh-postgresql12/lib/pgsql/data
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 ejarman+ 9192 9004 0 17:19 pts/0 00:00:00 grep --color=auto postmaster
Please note: this system was upgraded to CentOS 7.8 before upgrading Foreman/Katello. It was initially built last year with Foreman 1.22 and Katello 3.13, and has been upgraded through versions since then.
I am running a bit out of ideas as everything seems correct except it does not transition.
I tested on my own system and it works as expected with and without sudo.
So the last thing we did not verify was the context of /etc/systemd/system/postgresql.service
which should be systemd_unit_file_t
.
You could also verify context of all files of a package with fixfiles
, so for package in $(rpm -qa | grep postgres); do fixfiles -R $package check; done
for all postgres packages. To change the label after checking you can run it again with restore
instead of check
.
We use PostgreSQL from RH SCL, SELinux handles SCLs automatically. It works fine for me:
[root@foreman ~]# ps axuZ | grep postgres
system_u:system_r:postgresql_t:s0 postgres 982 0.0 0.4 834256 52148 ? Ss 10:48 0:00 postmaster -D /var/opt/rh/rh-postgresql12/lib/pgsql/data
system_u:system_r:postgresql_t:s0 postgres 1458 0.0 0.0 251804 2060 ? Ss 10:48 0:00 postgres: logger
system_u:system_r:postgresql_t:s0 postgres 1830 0.0 0.0 834528 8092 ? Ss 10:48 0:00 postgres: checkpointer
system_u:system_r:postgresql_t:s0 postgres 1831 0.0 0.0 834392 6784 ? Ss 10:48 0:00 postgres: background writer
system_u:system_r:postgresql_t:s0 postgres 1832 0.0 0.1 834256 18664 ? Ss 10:48 0:00 postgres: walwriter
system_u:system_r:postgresql_t:s0 postgres 1834 0.0 0.0 835212 3340 ? Ss 10:48 0:00 postgres: autovacuum launcher
system_u:system_r:postgresql_t:s0 postgres 1835 0.0 0.0 252212 2424 ? Ss 10:48 0:00 postgres: stats collector
system_u:system_r:postgresql_t:s0 postgres 1836 0.0 0.0 835100 2804 ? Ss 10:48 0:00 postgres: logical replication launcher
system_u:system_r:postgresql_t:s0 postgres 9083 0.0 0.0 836752 11324 ? Ss 10:50 0:00 postgres: foreman foreman [local] idle
system_u:system_r:postgresql_t:s0 postgres 9084 0.0 0.0 836752 11320 ? Ss 10:50 0:00 postgres: foreman foreman [local] idle
system_u:system_r:postgresql_t:s0 postgres 9090 0.0 0.0 836580 9884 ? Ss 10:50 0:00 postgres: foreman foreman [local] idle
system_u:system_r:postgresql_t:s0 postgres 9092 0.0 0.0 835472 4928 ? Ss 10:50 0:00 postgres: foreman foreman [local] idle
system_u:system_r:postgresql_t:s0 postgres 9094 0.0 0.0 836584 8916 ? Ss 10:50 0:00 postgres: foreman foreman [local] idle
system_u:system_r:postgresql_t:s0 postgres 9105 0.0 0.0 836488 10192 ? Ss 10:50 0:00 postgres: foreman foreman [local] idle
system_u:system_r:postgresql_t:s0 postgres 9109 0.0 0.0 835472 4928 ? Ss 10:50 0:00 postgres: foreman foreman [local] idle
system_u:system_r:postgresql_t:s0 postgres 9144 0.0 0.0 835604 6776 ? Ss 10:50 0:00 postgres: foreman foreman [local] idle
system_u:system_r:postgresql_t:s0 postgres 9148 0.0 0.0 836384 8124 ? Ss 10:50 0:00 postgres: foreman foreman [local] idle
system_u:system_r:postgresql_t:s0 postgres 9149 0.0 0.0 835860 8080 ? Ss 10:50 0:00 postgres: foreman foreman [local] idle
system_u:system_r:postgresql_t:s0 postgres 9170 0.0 0.0 836368 8804 ? Ss 10:50 0:00 postgres: foreman foreman [local] idle
system_u:system_r:postgresql_t:s0 postgres 9173 0.0 0.0 836368 8528 ? Ss 10:50 0:00 postgres: foreman foreman [local] idle
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 9467 0.0 0.0 112816 968 pts/0 S+ 10:58 0:00 grep --color=auto postgres
[root@foreman ~]# semanage fcontext -l | grep /rh/
/var/opt/rh/rh-nginx18/log(/.*)? all files system_u:object_r:httpd_log_t:s0
/var/opt/rh/rh-redis32/redis(/.*)? regular file system_u:object_r:redis_exec_t:s0
/etc/opt/rh/rh-nginx18/nginx(/.*)? all files system_u:object_r:httpd_config_t:s0
/var/opt/rh/rh-nginx18/lib/nginx(/.*)? all files system_u:object_r:httpd_var_lib_t:s0
/var/opt/rh/rh-nginx18/run/nginx(/.*)? all files system_u:object_r:httpd_var_run_t:s0
/opt/rh/rh-redis5/root = /
/var/opt/rh/rh-postgresql12 = /var
/etc/opt/rh/rh-postgresql12 = /etc
/etc/opt/rh/rh-redis5 = /etc
/var/opt/rh/rh-redis5 = /var
/opt/rh/rh-postgresql12/root = /
Can you paste (and format properly) output of the semanage fcontext -l | grep /rh/
?
Have you ever played with SELinux (e.g. disabling it for a moment) on this deployment?
I suggest to run full restorecon: restorecon -FvvR /
and reboot the instance or even better touch /.autorelabel
with reboot.
Dirk,
The contect of /etc/systemd/system/postgresql.service
is correct at systemd_unit_file_t
.
The fixfiles check command flagged a few log files, and gave this error several times:
/sbin/restorecon: Warning no default label for /opt/rh/rh-postgresql12/root/proc
I am running the fixfiles … restore command now. I’ll reboot again, then check the rest of the file contexts as in the next message from Izap
[ ~]$ sudo semanage fcontext -l | grep /rh/
/var/opt/rh/rh-nginx18/log(/.*)? all files system_u:object_r:httpd_log_t:s0
/var/opt/rh/rh-redis32/redis(/.*)? regular file system_u:object_r:redis_exec_t:s0
/etc/opt/rh/rh-nginx18/nginx(/.*)? all files system_u:object_r:httpd_config_t:s0
/var/opt/rh/rh-nginx18/lib/nginx(/.*)? all files system_u:object_r:httpd_var_lib_t:s0
/var/opt/rh/rh-nginx18/run/nginx(/.*)? all files system_u:object_r:httpd_var_run_t:s0
/etc/opt/rh/rh-redis5 = /etc
/var/opt/rh/rh-mongodb34 = /var
/opt/rh/rh-redis5/root = /
/opt/rh/rh-mongodb34/root = /
/etc/opt/rh/rh-mongodb34 = /etc
/etc/opt/rh/rh-postgresql12 = /etc
/var/opt/rh/rh-redis5 = /var
/var/opt/rh/rh-postgresql12 = /var
/opt/rh/rh-postgresql12/root = /
[ ~]$
I’m running a full restorecon with restorecon -FvvR /
now, and have touched /.autorelabel to hit the root on boot.
The filesystems are very split out on this system, with all of the following configured as separate:
/
/boot
/home
/opt
/srv
/tmp
/var
/var/lib
/var/lib/pulp (nfs)
/var/www
Even after all the relabeling and rebooting, the postmaster process is still getting the wrong label on start.
[ ~]$ ps -efZ | grep postmaster
system_u:system_r:initrc_t:s0 postgres 1347 1 0 15:51 ? 00:00:00 postmaster -D /var/opt/rh/rh-postgresql12/lib/pgsql/data
Izap,
Forgot to specify, but mentioned it above,
The system works perfectly when either SELinux enforcing is disabled, or when setting setsebool -p passenger_can_connect_all=1
.
This system is a DEV system that was taken out of active service a couple months ago when I kept getting mongod OOM crashes every time it ran a repo sync. The OEL repositories were particularly bad about that.
At this point, you need to investigate why postgres is not starting in its domain. It does on our default install, you appear to have everything set correctly.
Do you have the policy enabled? semanage module -l | grep post
Check the file label of postmaster
binary, it should have been something like postgres_exec_t
or similar. That allows transition into the target domain.
The policy appears to be enabled.
[ ~]$ sudo semanage module -l | grep post
postfix 100 pp
postgresql 100 pp
postgrey 100 pp
[ ~]$
The label is correct on the actual postgres binary, but is not on the symlink.
[ ~]$ ls -lZ /usr/bin/postmaster
-rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/bin/postmaster
[ ~]$ ls -lZ /opt/rh/rh-postgresql12/root/usr/bin/postmaster
lrwxrwxrwx. root root system_u:object_r:bin_t:s0 /opt/rh/rh-postgresql12/root/usr/bin/postmaster -> postgres
[ ~]$ ls -lZ /opt/rh/rh-postgresql12/root/usr/bin/postgres
-rwxr-xr-x. root root system_u:object_r:postgresql_exec_t:s0 /opt/rh/rh-postgresql12/root/usr/bin/postgres
I don’t see any references to a context for the symlinks when listing all file contexts for postgres.
[ ~]$ sudo semanage fcontext -l | grep postgre
/usr/bin/(se)?postgres regular file system_u:object_r:postgresql_exec_t:s0
/etc/postgrey(/.*)? all files system_u:object_r:postgrey_etc_t:s0
/var/lib/pgsql(/.*)? all files system_u:object_r:postgresql_db_t:s0
/etc/postgresql(/.*)? all files system_u:object_r:postgresql_etc_t:s0
/var/lib/pgsql/.*\.log all files system_u:object_r:postgresql_log_t:s0
/usr/bin/initdb(\.sepgsql)? regular file system_u:object_r:postgresql_exec_t:s0
/var/lib/sepgsql(/.*)? all files system_u:object_r:postgresql_db_t:s0
/var/lib/postgrey(/.*)? all files system_u:object_r:postgrey_var_lib_t:s0
/var/run/postgrey(/.*)? all files system_u:object_r:postgrey_var_run_t:s0
/var/lib/postgres(ql)?(/.*)? all files system_u:object_r:postgresql_db_t:s0
/etc/rc\.d/init\.d/(se)?postgresql regular file system_u:object_r:postgresql_initrc_exec_t:s0
/var/log/rhdb/rhdb(/.*)? all files system_u:object_r:postgresql_log_t:s0
/var/log/postgresql(/.*)? all files system_u:object_r:postgresql_log_t:s0
/var/run/postgresql(/.*)? all files system_u:object_r:postgresql_var_run_t:s0
/etc/sysconfig/pgsql(/.*)? all files system_u:object_r:postgresql_etc_t:s0
/var/log/postgres\.log.* regular file system_u:object_r:postgresql_log_t:s0
/usr/share/jonas/pgsql(/.*)? all files system_u:object_r:postgresql_db_t:s0
/var/lib/pgsql/logfile(/.*)? all files system_u:object_r:postgresql_log_t:s0
/usr/lib/postgresql/bin/.* regular file system_u:object_r:postgresql_exec_t:s0
/var/log/sepostgresql\.log.* regular file system_u:object_r:postgresql_log_t:s0
/var/lib/pgsql/data/pg_log(/.*)? all files system_u:object_r:postgresql_log_t:s0
/usr/lib/pgsql/test/regress(/.*)? all files system_u:object_r:postgresql_db_t:s0
/var/spool/postfix/postgrey(/.*)? all files system_u:object_r:postgrey_spool_t:s0
/usr/share/munin/plugins/postgres_.* regular file system_u:object_r:services_munin_plugin_exec_t:s0
/usr/bin/pg_ctl regular file system_u:object_r:postgresql_exec_t:s0
/usr/sbin/postgrey regular file system_u:object_r:postgrey_exec_t:s0
/var/run/postgrey\.pid regular file system_u:object_r:postgrey_var_run_t:s0
/etc/rc\.d/init\.d/postgrey regular file system_u:object_r:postgrey_initrc_exec_t:s0
/usr/libexec/postgresql-ctl regular file system_u:object_r:postgresql_exec_t:s0
/var/lib/sepgsql/pgstartup\.log regular file system_u:object_r:postgresql_log_t:s0
/usr/bin/postgresql-check-db-dir regular file system_u:object_r:postgresql_exec_t:s0
/usr/lib/pgsql/test/regress/pg_regress regular file system_u:object_r:postgresql_exec_t:s0
/usr/libexec/postgresql-ctl all files system_u:object_r:postgresql_exec_t:s0
/etc/opt/rh/rh-postgresql12 = /etc
/usr/lib/systemd/system/rh-postgresql12-postgresql.service = /usr/lib/systemd/system/postgresql.service
/var/opt/rh/rh-postgresql12 = /var
/opt/rh/rh-postgresql12/root = /
[ ~]$
SCL is actually built-in SELinux, it has this mapping so automatically labels files correctly.
Well, I can confirm everything is same on my setup and postgres goes into the proper domain. Please reach out to SELinux team to find out what’s wrong. My SELinux knowledge is limited here.
I have definitely confirmed that the passenger contexts and rules are correct. Still working on what is wrong with the domain for rh-postgresql12
~]$ sudo sesearch --all | grep passenger_t | grep postgre
allow passenger_t postgresql_tmp_t : dir { getattr search open } ;
allow passenger_t postgresql_var_run_t : sock_file { write getattr append open } ;
allow passenger_t postgresql_port_t : tcp_socket name_connect ;
allow passenger_t postgresql_tmp_t : sock_file { write getattr append open } ;
allow passenger_t postgresql_var_run_t : dir { getattr search open } ;
allow passenger_t postgresql_t : unix_stream_socket connectto ;
There is no relabel rule allowing the switch to postgresql_exec_t though.
Looking for any missing or wrong versions of packages from the scl.
~]$ sudo sesearch --all | grep postgresql | grep relabel
allow sysadm_t postgresql_etc_t : sock_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ;
allow sysadm_t postgresql_var_run_t : sock_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ;
allow dbadm_t postgresql_etc_t : lnk_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename } ;
allow postgresql_t sepgsql_database_type : db_database { create drop getattr setattr relabelfrom relabelto access install_module load_module get_param set_param } ;
allow dbadm_t postgresql_var_run_t : dir { ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename add_name remove_name reparent sear ch rmdir open } ;
allow dbadm_t postgresql_db_t : sock_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ;
allow dbadm_t postgresql_tmp_t : lnk_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename } ;
allow sysadm_t postgresql_log_t : file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ;
allow postgresql_t sepgsql_table_type : db_tuple { relabelfrom relabelto use select update insert delete } ;
allow sysadm_t postgresql_etc_t : fifo_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ;
allow sysadm_t postgresql_db_t : lnk_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename } ;
allow sysadm_t postgresql_etc_t : file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ;
allow sysadm_t postgresql_tmp_t : file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ;
allow sysadm_t postgresql_log_t : lnk_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename } ;
allow dbadm_t postgresql_log_t : file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ;
allow postgresql_t sepgsql_table_type : db_table { create drop getattr setattr relabelfrom relabelto select update insert delete lock } ;
allow postgresql_t sepgsql_view_type : db_view { create drop getattr setattr relabelfrom relabelto expand } ;
allow sysadm_t postgresql_log_t : sock_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ;
allow dbadm_t postgresql_log_t : lnk_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename } ;
allow dbadm_t postgresql_tmp_t : sock_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ;
allow postgresql_t sepgsql_schema_type : db_schema { create drop getattr setattr relabelfrom relabelto search add_name remove_name } ;
allow sysadm_t postgresql_var_run_t : fifo_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ;
allow dbadm_t postgresql_var_run_t : fifo_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ;
allow dbadm_t postgresql_log_t : dir { ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename add_name remove_name reparent search r mdir open } ;
allow sysadm_t postgresql_tmp_t : dir { ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename add_name remove_name reparent search rmdir open } ;
allow dbadm_t postgresql_tmp_t : dir { ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename add_name remove_name reparent search r mdir open } ;
allow dbadm_t postgresql_log_t : fifo_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ;
allow dbadm_t postgresql_db_t : lnk_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename } ;
allow dbadm_t postgresql_etc_t : dir { ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename add_name remove_name reparent search r mdir open } ;
allow postgresql_t sepgsql_procedure_type : db_procedure { create drop getattr setattr relabelfrom relabelto execute entrypoint install } ;
allow sysadm_t postgresql_log_t : dir { ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename add_name remove_name reparent search rmdir open } ;
allow dbadm_t postgresql_tmp_t : file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ;
allow dbadm_t postgresql_etc_t : sock_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ;
allow dbadm_t postgresql_etc_t : fifo_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ;
allow sysadm_t postgresql_tmp_t : lnk_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename } ;
allow dbadm_t postgresql_var_run_t : file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ;
allow postgresql_t sepgsql_sequence_type : db_sequence { create drop getattr setattr relabelfrom relabelto get_value next_value set_value } ;
allow postgresql_t sepgsql_table_type : db_column { create drop getattr setattr relabelfrom relabelto select update insert } ;
allow sysadm_t postgresql_etc_t : lnk_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename } ;
allow dbadm_t postgresql_tmp_t : fifo_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ;
allow dbadm_t postgresql_var_run_t : sock_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ;
allow dbadm_t postgresql_var_run_t : lnk_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename } ;
allow sysadm_t postgresql_etc_t : dir { ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename add_name remove_name reparent search rmdir open } ;
allow sysadm_t postgresql_db_t : dir { ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename add_name remove_name reparent search r mdir open } ;
allow dbadm_t postgresql_db_t : file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ;
allow dbadm_t postgresql_log_t : sock_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ;
allow sysadm_t postgresql_db_t : fifo_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ;
allow sysadm_t postgresql_var_run_t : lnk_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename } ;
allow sysadm_t postgresql_var_run_t : file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ;
allow postgresql_t security_t : security { compute_av compute_create check_context compute_relabel } ;
allow dbadm_t postgresql_db_t : dir { ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename add_name remove_name reparent search rm dir open } ;
allow sysadm_t postgresql_db_t : sock_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ;
allow postgresql_t sepgsql_temp_object_t : db_schema { create drop getattr setattr relabelfrom relabelto search add_name remove_name } ;
allow sysadm_t postgresql_tmp_t : sock_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ;
allow sysadm_t postgresql_log_t : fifo_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ;
allow sysadm_t postgresql_tmp_t : fifo_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ;
allow postgresql_t sepgsql_blob_type : db_blob { create drop getattr setattr relabelfrom relabelto read write import export } ;
allow sysadm_t postgresql_var_run_t : dir { ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename add_name remove_name reparent sea rch rmdir open } ;
allow dbadm_t postgresql_db_t : fifo_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ;
allow sysadm_t postgresql_db_t : file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ;
allow dbadm_t postgresql_etc_t : file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ;