Re: SELinux strangeness with 8.1.2 and 8.1.3

"Just Someone" <just(dot)some(at)gmail(dot)com> writes:
> Some more clues that might help you see if there's a real problem, is
> that the /var/lib/pgsql/data/postmaster.pid file is created with the a
> SELinux context that's different from the rest. It is created with
> system_u:object_r:file_t while the rest of the files are created with
> root:object_r:postgresql_db_t. And the postmaster (when using runuser)
> fails on accessing it according to the audit log.

Hmm. That seems like a SELinux policy bug. It doesn't happen for me:
the pid file is created with the same context the other files have.

-rw------- postgres postgres root:object_r:postgresql_db_t postmaster.pid

Are you sure that your SELinux policy is up-to-date? Maybe you need to
do a restorecon on the postgres binaries and/or /var/lib/pgsql/data.

> Some more info about the system:
> * FC4 fully updated
> * Postgres 8.1.3 built from the PGDG SRPMs
> * Dual Opteron

I tried it myself on a freshly-updated FC4 x86_64 system, using the current
FC5 SRPMs, and couldn't see a problem. Red Hat's SRPMs are not exactly
like the PGDG ones, but the only difference I can find that looks at all
relevant to SELinux is this one in the init script:

132c134
< [ -x /usr/bin/chcon ] && /usr/bin/chcon -u system_u -r object_r -t postgresql_log_t "$PGLOG"
---
> [ -x /usr/bin/chcon ] && /usr/bin/chcon -t postgresql_log_t "$PGLOG"

and that's not about the pid file.

regards, tom lane