Re: SELinux problem rsync'ing WAL logs

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Aleksey Tsalolikhin <atsaloli(dot)tech(at)gmail(dot)com>
Cc: pgsql-general(at)postgresql(dot)org
Subject: Re: SELinux problem rsync'ing WAL logs
Date: 2009-04-01 03:09:45
Message-ID: 23584.1238555385@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

Aleksey Tsalolikhin <atsaloli(dot)tech(at)gmail(dot)com> writes:
> On Tue, Mar 31, 2009 at 6:35 PM, David Wilson <david(dot)t(dot)wilson(at)gmail(dot)com> wrote:
>> Have you tested "ssh node2" as the postgres user with SELinux enabled?

> Yes, I have, it works fine. With SELinux enabled. That's why I've
> been tearing my hair out.

Ah, well, you need to understand one of the first points about SELinux:
the standard policy is designed to constrain daemon processes, not
interactive processes. So you can run some command when logged in as
postgres, and whether that works has nothing whatever to do with whether
SELinux will let the postgres daemon do it.

> I am running Fedora Core 6 on node 1. (Upgrade to CentOS 5.2 is in
> the works.)

Yes, I'd suggest getting off FC6 soon. In my experience the SELinux
policy didn't start to "just work" until around FC8. In particular
I recall that FC6 had a bad habit of trying to rate-limit AVC messages
to the point where you could not figure out whether (much less why)
it was denying any particular thing you tried.

My advice is don't even bother trying to debug this on FC6. Get onto a
newer platform with a less buggy SELinux implementation, or just turn
off SELinux.

regards, tom lane

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Stefan Kaltenbrunner 2009-04-01 05:53:07 Re: Server Performance
Previous Message Aleksey Tsalolikhin 2009-04-01 01:37:53 Re: SELinux problem rsync'ing WAL logs