Hi. I am trying to enable WAL log shipping on our PostgreSQL 8.1.10
(upgrade to 8.3.7 is in the works) running on Fedora Core 6 (upgrade
to a more recent version is in the works).
My PostgreSQL archive_command is 'rsync %p postgres@node2:/file/to/$f
</dev/null'
This works fine only if and only if SE Linux is disabled on node 1
(the source node).
I used audit2allow on the SELinux messages, and generated an SE Linux
module to allow
Postgres to rsync the files out...
allow postgresql_t ssh_exec_t:file { read execute execute_no_trans };
allow postgresql_t ssh_port_t:tcp_socket name_connect;
allow postgresql_t user_home_t:dir { search getattr };
allow postgresql_t user_home_t:file { read getattr };
But the automated rsync by PostgreSQL still does now work. (Works
fine if I disable SELinux, by the way.)
The error I get in the PostgreSQL log is:
LOG: archive command "/usr/local/bin/rsync -e /usr/bin/ssh
pg_xlog/000000010000001D00000015
postgres@node2:WAL/000000010000001D00000015 </dev/null" failed: return
code 65280
Could not create directory '/home/postgres/.ssh'.
Host key verification failed.
rsync: connection unexpectedly closed (0 bytes received so far) [sender]
rsync error: unexplained error (code 255) at io.c(632) [sender=3.0.4]
If anybody has any clue as to whats going on here, I would sure
appreciate your help.
"ssh node2" works fine from node1, I log in using key-based authentication
What stumps me is there are no further complaints from SELinux in any
log, but clearly SELinux is blocking the connection.
Thanks,
-at
--
Aleksey Tsalolikhin
UNIX System Administrator
"I get stuff done!"
http://www.verticalsysadmin.com/
LinkedIn - http://www.linkedin.com/in/atsaloli
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
