From: | Mike Palmiotto <mike(dot)palmiotto(at)crunchydata(dot)com> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | pgsql-hackers(at)lists(dot)postgresql(dot)org, Joe Conway <mail(at)joeconway(dot)com> |
Subject: | Re: sepgsql seems rather thoroughly broken on Fedora 30 |
Date: | 2019-07-19 13:37:45 |
Message-ID: | CAMN686F4MiHK9qn_CnNk4X1iDjFGDU8h6kb7iVCtbN4NEOVDwg@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Thu, Jul 18, 2019 at 11:06 PM Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>
> Mike Palmiotto <mike(dot)palmiotto(at)crunchydata(dot)com> writes:
> > On Wed, Jul 17, 2019 at 12:32 PM Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> >> $ runcon -t sepgsql_regtest_user_t psql --help
> >> psql: fatal: could not look up effective user ID 1000: user does not exist
You can rule out SELinux for this piece by running `sudo setenforce
0`. If the `runcon ... psql` command works in Permissive we should
look at your audit log to determine what is being denied. audit2allow
will provide a summary of the SELinux denials and is generally a good
starting point:
# grep denied /var/log/audit/audit.log | audit2allow
If SELinux is indeed the issue here and you want to avoid doing all of
this detective work, it may be a good idea to just run a system-wide
restorecon (assuming you didn't already do that before) to make sure
your labels are in a decent state.
FWIW, this appears to be working on my recently-installed F30 VM:
% runcon -t sepgsql_regtest_user_t psql --help &> /dev/null
% echo $?
0
Hopefully a system-wide `restorecon` just magically fixes this for
you. Otherwise, we can start digging into denials.
--
Mike Palmiotto
Software Engineer
Crunchy Data Solutions
https://crunchydata.com
From | Date | Subject | |
---|---|---|---|
Next Message | Ian Barwick | 2019-07-19 13:40:42 | Re: [PATCH] minor bugfix for pg_basebackup (9.6 ~ ) |
Previous Message | Robert Haas | 2019-07-19 13:07:27 | Re: POC: Cleaning up orphaned files using undo logs |