SELinux ist preventing postgresql

Dear all,

my foreman instance refused to start today, after running normally the
whole weekend.

The reason was selinux (sorry for the wrapping in the mail):

> Mar 27 09:30:12 foreman setroubleshoot: SELinux is preventing
> postgres from 'read, write' accesses on the file
> 000000010000000000000003. For complete SELinux messages. run sealert
> -l 4c591a78-465c-42f3-9bc5-621efa52c48a Mar 27 09:30:12 foreman
> python: SELinux is preventing postgres from 'read, write' accesses on
> the file 000000010000000000000003.#012#012***** Plugin
> catchall_labels (83.8 confidence) suggests
> **************#012#012If you want to allow postgres to have read
> write access on the 000000010000000000000003 file#012Then you need to
> change the label on 000000010000000000000003#012Do#012# semanage
> fcontext -a -t FILE_TYPE '000000010000000000000003'#012where
> FILE_TYPE is one of the following: afs_cache_t, cluster_var_run_t,
> faillog_t, hugetlbfs_t, initrc_tmp_t, krb5_host_rcache_t, lastlog_t,
> postgresql_db_t, postgresql_lock_t, postgresql_log_t,
> postgresql_tmp_t, postgresql_var_run_t, puppet_tmp_t, security_t,
> user_cron_spool_t.#012Then execute:#012restorecon -v
> '000000010000000000000003'#012#012#012
Plugin catchall (17.1
> confidence) suggests **************************#012#012If you
> believe that postgres should be allowed read write access on the
> 000000010000000000000003 file by default.#012Then you should report
> this as a bug.#012You can generate a local policy module to allow
> this access.#012Do#012allow this access for now by executing:#012#
> ausearch -c 'postgres' --raw | audit2allow -M my-postgres#012#
> semodule -i my-postgres.pp#012

I have not updated any packages since friday, so I am puzzled why all of
a sudden this spits out an error. Anyway, I could solve this by
switching selinux to permissive temporarily.

But I wonder if the foreman selinux stuff should not include a
profile/exception/rule/… for this?

Johannes

··· -- Johannes Kastl Linux Consultant & Trainer Tel.: +49 (0) 151 2372 5802 Mail: kastl@b1-systems.de

B1 Systems GmbH
Osterfeldstraße 7 / 85088 Vohburg / http://www.b1-systems.de
GF: Ralph Dehner / Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537

Hello,

please pastebin (using a service) the AVC denials rather than
troubleshooter output.

Anyway, postgresql policy is not maitaned by us, it's in RHEL or
CentOS. You had to do some update, or someone had to change the label.

If this is a production instance that was untouched, do deep security
audit as well.

LZ

··· On Mon, Mar 27, 2017 at 9:41 AM, Johannes Kastl wrote: > Dear all, > > my foreman instance refused to start today, after running normally the > whole weekend. > > The reason was selinux (sorry for the wrapping in the mail): > >> Mar 27 09:30:12 foreman setroubleshoot: SELinux is preventing >> postgres from 'read, write' accesses on the file >> 000000010000000000000003. For complete SELinux messages. run sealert >> -l 4c591a78-465c-42f3-9bc5-621efa52c48a Mar 27 09:30:12 foreman >> python: SELinux is preventing postgres from 'read, write' accesses on >> the file 000000010000000000000003.#012#012***** Plugin >> catchall_labels (83.8 confidence) suggests >> *******************#012#012If you want to allow postgres to have read >> write access on the 000000010000000000000003 file#012Then you need to >> change the label on 000000010000000000000003#012Do#012# semanage >> fcontext -a -t FILE_TYPE '000000010000000000000003'#012where >> FILE_TYPE is one of the following: afs_cache_t, cluster_var_run_t, >> faillog_t, hugetlbfs_t, initrc_tmp_t, krb5_host_rcache_t, lastlog_t, >> postgresql_db_t, postgresql_lock_t, postgresql_log_t, >> postgresql_tmp_t, postgresql_var_run_t, puppet_tmp_t, security_t, >> user_cron_spool_t.#012Then execute:#012restorecon -v >> '000000010000000000000003'#012#012#012***** Plugin catchall (17.1 >> confidence) suggests **************************#012#012If you >> believe that postgres should be allowed read write access on the >> 000000010000000000000003 file by default.#012Then you should report >> this as a bug.#012You can generate a local policy module to allow >> this access.#012Do#012allow this access for now by executing:#012# >> ausearch -c 'postgres' --raw | audit2allow -M my-postgres#012# >> semodule -i my-postgres.pp#012 > > I have not updated any packages since friday, so I am puzzled why all of > a sudden this spits out an error. Anyway, I could solve this by > switching selinux to permissive temporarily. > > But I wonder if the foreman selinux stuff should not include a > profile/exception/rule/... for this? > > Johannes > > -- > Johannes Kastl > Linux Consultant & Trainer > Tel.: +49 (0) 151 2372 5802 > Mail: kastl@b1-systems.de > > B1 Systems GmbH > Osterfeldstraße 7 / 85088 Vohburg / http://www.b1-systems.de > GF: Ralph Dehner / Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537 > > -- > You received this message because you are subscribed to the Google Groups "Foreman users" group. > To unsubscribe from this group and stop receiving emails from it, send an email to foreman-users+unsubscribe@googlegroups.com. > To post to this group, send email to foreman-users@googlegroups.com. > Visit this group at https://groups.google.com/group/foreman-users. > For more options, visit https://groups.google.com/d/optout.


Later,
Lukas @lzap Zapletal

Lukas Zapletal schrieb:

> Anyway, postgresql policy is not maitaned by us, it's in RHEL or
> CentOS. You had to do some update, or someone had to change the label.
>
> If this is a production instance that was untouched, do deep security
> audit as well.

To my knowledge I have not installed any updates. I'll try to dig into
this, if I get the time…

··· -- Johannes Kastl Linux Consultant & Trainer Tel.: +49 (0) 151 2372 5802 Mail: kastl@b1-systems.de

B1 Systems GmbH
Osterfeldstraße 7 / 85088 Vohburg / http://www.b1-systems.de
GF: Ralph Dehner / Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537