From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
---|---|
To: | Aleksey Tsalolikhin <atsaloli(dot)tech(at)gmail(dot)com> |
Cc: | pgsql-general(at)postgresql(dot)org |
Subject: | Re: SELinux problem rsync'ing WAL logs |
Date: | 2009-04-01 03:09:45 |
Message-ID: | 23584.1238555385@sss.pgh.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
Aleksey Tsalolikhin <atsaloli(dot)tech(at)gmail(dot)com> writes:
> On Tue, Mar 31, 2009 at 6:35 PM, David Wilson <david(dot)t(dot)wilson(at)gmail(dot)com> wrote:
>> Have you tested "ssh node2" as the postgres user with SELinux enabled?
> Yes, I have, it works fine. With SELinux enabled. That's why I've
> been tearing my hair out.
Ah, well, you need to understand one of the first points about SELinux:
the standard policy is designed to constrain daemon processes, not
interactive processes. So you can run some command when logged in as
postgres, and whether that works has nothing whatever to do with whether
SELinux will let the postgres daemon do it.
> I am running Fedora Core 6 on node 1. (Upgrade to CentOS 5.2 is in
> the works.)
Yes, I'd suggest getting off FC6 soon. In my experience the SELinux
policy didn't start to "just work" until around FC8. In particular
I recall that FC6 had a bad habit of trying to rate-limit AVC messages
to the point where you could not figure out whether (much less why)
it was denying any particular thing you tried.
My advice is don't even bother trying to debug this on FC6. Get onto a
newer platform with a less buggy SELinux implementation, or just turn
off SELinux.
regards, tom lane
From | Date | Subject | |
---|---|---|---|
Next Message | Stefan Kaltenbrunner | 2009-04-01 05:53:07 | Re: Server Performance |
Previous Message | Aleksey Tsalolikhin | 2009-04-01 01:37:53 | Re: SELinux problem rsync'ing WAL logs |