Dr. Michael J. Chudobiak wrote:
Daniel J Walsh wrote:
Is there a way of running pg_dump and pg_dumpall under selinux,
without abandoning or rewriting the targeted policy?
Grab selinux-policy-targeted-1.17.30-2.62 off of
I still get errors. I can't run pg_dumpall as root or postgres:
[root@server2 log]# rpm -qa selinux-policy-targeted
selinux-policy-targeted-1.17.30-2.62
[root@server2 log]# grep pg_dumpall messages
Jan 4 09:50:13 server2 kernel: audit(1104850213.722:0): avc: denied
{ write } for pid=16053
exe=/usr/bin/pg_dumpall name=.s.PGSQL.5432 dev=md0 ino=213026
scontext=user_u:system_r:postgresql_t
tcontext=root:object_r:tmp_t tclass=sock_file
Jan 4 09:50:17 server2 kernel: audit(1104850217.630:0): avc: denied
{ write } for pid=16057
exe=/usr/bin/pg_dumpall name=.s.PGSQL.5432 dev=md0 ino=213026
scontext=user_u:system_r:postgresql_t
tcontext=root:object_r:tmp_t tclass=sock_file
Jan 4 09:50:29 server2 kernel: audit(1104850229.137:0): avc: denied
{ write } for pid=16133
exe=/usr/bin/pg_dumpall name=.s.PGSQL.5432 dev=md0 ino=213026
scontext=root:system_r:postgresql_t
tcontext=root:object_r:tmp_t tclass=sock_file
Jan 4 09:50:37 server2 kernel: audit(1104850237.546:0): avc: denied
{ write } for pid=16166
exe=/usr/bin/pg_dumpall name=.s.PGSQL.5432 dev=md0 ino=213026
scontext=user_u:system_r:postgresql_t
tcontext=root:object_r:tmp_t tclass=sock_file
Looks like postgresql is running under the wrong context.
Do a ps -eZ | grep postgres
It should not be running unconfined_t.
Any suggestions?
- Mike
