SELinux & Redhat

Jeff - wrote:

I think we should put some notes about SELinux causing issues with
pgsql in the OS notes or FAQ.

Myself and a few coworkers just spent a few hours tracking down why
pg_dump would produce no output. We'd fire it up in strace and we'd
see all the successful write calls, but not output.

We copied pg_dump from another machine and it worked fine, and that
machine was running the same OS & pg rpms.

Eventually we found it was SELinux was preventing pg_dump from
producing output.

Any thoughts? I could write up a short blurb but I'm not terribly
familiar with selinux. we just disabled the whole thing to make it work.

For the record:
CentOS 4.0
postgresql-8.0.2-1PGDG.i686.rpm (and associated) rpms from
postgresql.org's ftp server

A blurb about what? No one else has reported such a problem so we have
no reason to assume it isn't a misconfiguration on your end.

-- 
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman@candle.pha.pa.us               |  (610) 359-1001
  +  If your life is a hard drive,     |  13 Roberts Road
  +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073

Am Freitag, 6. Mai 2005 16:55 schrieb Bruce Momjian:

A blurb about what? No one else has reported such a problem so we have
no reason to assume it isn't a misconfiguration on your end.

*Countless* people are constantly reporting problems that can be attributed to
selinux. We really need to write something about it. Of course, most
people, including myself, just solve these issues by turning off selinux, but
I'd be interested in a more thorough treatment.

--
Peter Eisentraut
http://developer.postgresql.org/~petere/

Peter Eisentraut wrote:

Am Freitag, 6. Mai 2005 16:55 schrieb Bruce Momjian:

A blurb about what? No one else has reported such a problem so we have
no reason to assume it isn't a misconfiguration on your end.

*Countless* people are constantly reporting problems that can be attributed to
selinux. We really need to write something about it. Of course, most
people, including myself, just solve these issues by turning off selinux, but
I'd be interested in a more thorough treatment.

Who makes SE Linux? Is it SuSE? What would we say in an FAQ? I would
rather report something to people using that OS.

-- 
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman@candle.pha.pa.us               |  (610) 359-1001
  +  If your life is a hard drive,     |  13 Roberts Road
  +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073

Jeff - <threshar@torgo.978.org> writes:

Eventually we found it was SELinux was preventing pg_dump from
producing output.

That's a new one on me. Why was it doing that --- mislabeling on
the pg_dump executable, or what?

regards, tom lane

Peter Eisentraut <peter_e@gmx.net> writes:

Am Freitag, 6. Mai 2005 16:55 schrieb Bruce Momjian:

A blurb about what? No one else has reported such a problem so we have
no reason to assume it isn't a misconfiguration on your end.

*Countless* people are constantly reporting problems that can be
attributed to selinux.

That's mostly because selinux outright broke postgres in the initial
FC3 releases :-(. I have to take most of the blame for this myself;
I didn't realize there might be problems, and didn't test adequately.
I believe the problems are all resolved in the latest Fedora RPMs,
though this pg_dump report may be something new.

regards, tom lane

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

On Fri, 6 May 2005, Tom Lane wrote:

Jeff - <threshar@torgo.978.org> writes:

Eventually we found it was SELinux was preventing pg_dump from
producing output.

That's a new one on me. Why was it doing that --- mislabeling on
the pg_dump executable, or what?

Looking at the strace report that someone has sent me before, there is a
problem with devices:

===================================================================
<snip>
fstat64(1, {st_mode=S_IFCHR|0666, st_rdev=makedev(1, 3), ...}) = 0
ioctl(1, SNDCTL_TMR_TIMEBASE or TCGETS, 0xbfe16a8c) = -1 ENOTTY
(Inappropriate ioctl for device)
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0xb7dee000
write(1, "pg_dump dumps a database as a te"..., 2367) = 2367
munmap(0xb7dee000, 4096) = 0
exit_group(0) = ?
===================================================================

This one is from a server with SELinux enabled. My server does not produce
this, and uses virtual console (as expected?). However with SELinux
enabled, it wants to use ramdisk (expected? I think no...)

Regards,
- --
Devrim GUNDUZ
devrim~gunduz.org, devrim~PostgreSQL.org, devrim.gunduz~linux.org.tr
http://www.tdmsoft.com.tr http://www.gunduz.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFCe45Btl86P3SPfQ4RAhpbAJ0UhBh8dlOEpPsNm2NB1QIJ82X2swCg7JOg
A1OCBrZRHxoOPQo0U9hNdNY=
=ENTC
-----END PGP SIGNATURE-----

On Fri, May 06, 2005 at 11:21:26AM -0400, Bruce Momjian wrote:

Peter Eisentraut wrote:

Am Freitag, 6. Mai 2005 16:55 schrieb Bruce Momjian:

A blurb about what? No one else has reported such a problem so we have
no reason to assume it isn't a misconfiguration on your end.

*Countless* people are constantly reporting problems that can be attributed to
selinux. We really need to write something about it. Of course, most
people, including myself, just solve these issues by turning off selinux, but
I'd be interested in a more thorough treatment.

Who makes SE Linux? Is it SuSE? What would we say in an FAQ? I would
rather report something to people using that OS.

It's linux-distribution agnostic. Redhat is including it on its
distributions, as is Debian. Not sure about the others but that is
already a large population. (Of course it's Linux only.)

--
Alvaro Herrera (<alvherre[@]dcc.uchile.cl>)
"Aprende a avergonzarte m�s ante ti que ante los dem�s" (Dem�crito)

On May 6, 2005, at 11:23 AM, Tom Lane wrote:

Jeff - <threshar@torgo.978.org> writes:

Eventually we found it was SELinux was preventing pg_dump from
producing output.

That's a new one on me. Why was it doing that --- mislabeling on
the pg_dump executable, or what?

We've got a stock CentOS 4 install
I nabbed the rpms I mentioned (8.0.2) (-rw-r--r-- 1 root root
2955126 May 4 11:51 postgresql-8.0.2-1PGDG.i686.rpm & company)

from /etc/selinux/targeted/contexts/files/file_contexts I see

file_contexts:/usr/bin/pg_dump --
system_u:object_r:postgresql_exec_t
file_contexts:/usr/bin/pg_dumpall --
system_u:object_r:postgresql_exec_t

Syslog logs:

May 6 09:01:25 starslice kernel: audit(1115384485.559:0): avc:
denied { execute_no_trans } for pid=4485 exe=/bin/bash path=/usr/
bin/pg_dump dev=sda3 ino=5272966
scontext=user_u:system_r:postgresql_t
tcontext=system_u:object_r:postgresql_exec_t tclass=file

SELinux is on and under system-config-securitylevel's selinux tab,
"SELinux Protection services" disable postgresql is not clicked.

When I run pg_dump w/these settings the following happens running
pg_dump (.broken is hte original file from the rpm)

bash-3.00$ /usr/bin/pg_dump.broken planet
bash-3.00$

Stracing it I get
....
write(1, "file_pkey; Type: CONSTRAINT; Sch"..., 4096) = 4096
write(1, "\n-- Name: userprofile_pkey; Type"..., 4096) = 4096
write(1, "_idx_1 OWNER TO planet;\n\n--\n-- N"..., 4096) = 4096
rt_sigaction(SIGPIPE, {SIG_IGN}, {SIG_DFL}, 8) = 0
send(3, "X\0\0\0\4", 5, 0) = 5
rt_sigaction(SIGPIPE, {SIG_DFL}, {SIG_IGN}, 8) = 0
close(3) = 0
write(1, "me: top3_cmtcount_idx; Type: IND"..., 3992) = 3992
munmap(0xb7df0000, 4096) = 0
exit_group(0) = ?

and what is interesting is it seems only sometimes things get logged
to syslog about the failure.

If I copy the file (not mv) it will work (possibly due to xattrs
being set?)

and if I disable pg checking, (or selinux all together) it works.

COOL, HUH?

--
Jeff Trout <jeff@jefftrout.com>
http://www.jefftrout.com/
http://www.stuarthamm.net/

Jeff - <threshar@torgo.978.org> writes:

When I run pg_dump w/these settings the following happens running
pg_dump (.broken is hte original file from the rpm)

bash-3.00$ /usr/bin/pg_dump.broken planet
bash-3.00$

Does it work if you direct the output into a file, instead of letting it
come to your terminal (which seems a bit useless anyway)?

I've been bugging dwalsh about the fact that the selinux policy
disallows writes to /dev/tty to things it thinks are daemons;
that seems pretty stupid. But pg_dump isn't a daemon so there's
no reason for it to be restricted this way anyway...

and what is interesting is it seems only sometimes things get logged
to syslog about the failure.

Someone told me there's a rate limit on selinux complaints going to
syslog, to keep it from swamping your logs. I suspect there are some
actual bugs there too, because I've noticed cases where an action was
blocked and there wasn't any log message, nor enough activity to
justify a rate limit. Feel free to file a bugzilla report if you can
get a reproducible case.

regards, tom lane

On May 6, 2005, at 11:57 AM, Tom Lane wrote:

bash-3.00$ /usr/bin/pg_dump.broken planet
bash-3.00$

Does it work if you direct the output into a file, instead of
letting it
come to your terminal (which seems a bit useless anyway)?

Interesting.

Redirecting it worked, but I'm pretty sure at one point it didn't
work. (I could also be smoking crack).

Hmm.. piping it into another app worked.

I only found out about this when another developer here tried to run
it and got nothing.

in any case, it might be something useful to jot somewhere.

--
Jeff Trout <jeff@jefftrout.com>
http://www.jefftrout.com/
http://www.stuarthamm.net/

After reading the comparisons between Opteron and Xeon processors for Linux,
I'd like to add an Opteron box to our stable of Dells and Sparcs, for comparison.

IBM, Sun and HP have their fairly pricey Opteron systems.
The IT people are not swell about unsupported purchases off ebay.
Anyone care to suggest any other vendors/distributors?
Looking for names with national support, so that we can recommend as much to our
customers.

Many thanks in advance.
--
"Dreams come true, not free." -- S.Sondheim

Mischa,

What kind of budget are you on? penguincomputing.com deals with
Opteron servers. I looked at a couple of their servers before deciding
on a HP DL145.

Ian

IBM, Sun and HP have their fairly pricey Opteron systems.
The IT people are not swell about unsupported purchases off ebay.

Mischa,

I certainly understand your concern, but the price and support
sometimes go hand-in-hand. You may have to pick your batttles if your
want more bang for the buck or more support. I might be wrong on this,
but not everything you buy on E-Bay is unsupported.

We purchase a dual Operton from Sun off their E-Bay store for about $3K
less than the "buy it now" price.

From an IT perspective, support is not as critical if I can do it
myself. If it is for business 24/7 operations, then the company should
be able to put some money behind what they want to put their business
on. Your mileage may vary.

Steve

Please wait a week before buying Sun v20z's or v40z's from off of Ebay
(j/k). (As I'm in the process of picking up a few) From everything I
hear the v20z/v40z's are a great way to go and I'll know more in 15 days
or so.

Regards,

Gavin

Steve Poe wrote:

On Fri, May 06, 2005 at 02:39:11PM -0700, Mischa Sandberg wrote:

IBM, Sun and HP have their fairly pricey Opteron systems.

We've had some quite good experiences with the HP boxes. They're not
cheap, it's true, but boy are they sweet.

A

--
Andrew Sullivan | ajs@crankycanuck.ca
In the future this spectacle of the middle classes shocking the avant-
garde will probably become the textbook definition of Postmodernism.
--Brad Holland

A-

On Fri, May 06, 2005 at 02:39:11PM -0700, Mischa Sandberg wrote:

IBM, Sun and HP have their fairly pricey Opteron systems.

We've had some quite good experiences with the HP boxes. They're not
cheap, it's true, but boy are they sweet.

Question, though: is HP still using their proprietary RAID card? And, if so,
have they fixed its performance problems?

--
Josh Berkus
Aglio Database Solutions
San Francisco

Mischa Sandberg wrote:

After reading the comparisons between Opteron and Xeon processors for Linux,
I'd like to add an Opteron box to our stable of Dells and Sparcs, for comparison.
IBM, Sun and HP have their fairly pricey Opteron systems.
The IT people are not swell about unsupported purchases off ebay.
Anyone care to suggest any other vendors/distributors?

Check out the Tyan Transport systems. Tyan are an ex Sparc clone manufacturer, and
released the second available Opteron board - widely considered the first serious
Opteron board to hit the market.

Sam.

Thanks to everyone for their pointers to suppliers of Opteron systems.

The system I'm pricing is under a tighter budget than a production machine,
because it will be for perftests. Our customers tend to run on Dells but
occasionally run on (Sun) Opterons.

Mischa Sandberg wrote:

After reading the comparisons between Opteron and Xeon processors for Linux,
I'd like to add an Opteron box to our stable of Dells and Sparcs, for comparison.

IBM, Sun and HP have their fairly pricey Opteron systems.
The IT people are not swell about unsupported purchases off ebay.
Anyone care to suggest any other vendors/distributors?
Looking for names with national support, so that we can recommend as much to our
customers.

Monarch Computer http://www.monarchcomputer.com/

They have prebuilt and custom built systems.

--
Until later, Geoffrey