Wednesday, November 28, 2018

Fixing SELinux Warnings for Postgres after changing the data directory

We moved the postgres data directory from its default location /var/lib/pgsql/data to /opt/localdrive/postgres.

This started to give lots of warnings in the SELinux audit logs. Postgres service was running fine as SELinux was in permissive mode, albeit giving verbose warnings as below.

$ sudo tail -f /var/log/audit/audit.log
type=AVC msg=audit(1543413248.637:5277): avc:  denied  { getattr } for  pid=5285 comm="postgres" path="/opt/localdrive/postgres/base/16386/PG_VERSION" dev="sdb1" ino=1725 scontext=system_u:system_r:postgresql_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=file
type=SYSCALL msg=audit(1543413248.637:5277): arch=c000003e syscall=5 success=yes exit=0 a0=5 a1=7ffef5d9e1f0 a2=7ffef5d9e1f0 a3=1 items=0 ppid=1314 pid=5285 auid=4294967295 uid=26 gid=26 euid=26 suid=26 fsuid=26 egid=26 sgid=26 fsgid=26 tty=(none) ses=4294967295 comm="postgres" exe="/usr/bin/postgres" subj=system_u:system_r:postgresql_t:s0 key=(null)
type=PROCTITLE msg=audit(1543413248.637:5277): proctitle=706F7374677265733A206175746F76616375756D20776F726B65722070726F63657373202020
type=AVC msg=audit(1543413248.638:5278): avc:  denied  { write } for  pid=5285 comm="postgres" name="12730" dev="sdb1" ino=1263 scontext=system_u:system_r:postgresql_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=file
type=SYSCALL msg=audit(1543413248.638:5278): arch=c000003e syscall=2 success=yes exit=5 a0=2947210 a1=2 a2=180 a3=50 items=0 ppid=1314 pid=5285 auid=4294967295 uid=26 gid=26 euid=26 suid=26 fsuid=26 egid=26 sgid=26 fsgid=26 tty=(none) ses=4294967295 comm="postgres" exe="/usr/bin/postgres" subj=system_u:system_r:postgresql_t:s0 key=(null)

To fix this, we had to perform a number of steps:

Edit SELinux to point to the current postgres data directory
$ sudo semanage fcontext -a -t postgresql_db_t "/opt/localdrive/postgres(/.*)?"

$ sudo restorecon -R -v /opt/localdrive/postgres

Restart Postgres service
$ sudo service postgresql restart


Now the audit "denied" logs are gone!
Bookmark and Share
Labels: ,

No comments:

Post a Comment

You are welcome to provide your opinions in the comments. Spam comments and comments with random links will be deleted.

Subscribe to: Post Comments (Atom)