Обсуждение: pg_dump fails on 7.4 Postgres

This may be my second posting but I think I've done it correctly this time.
At this point, I am unable to do a pg_dump using our new Rec Hat
Enterprise Linux AS 4 version of Postgres which is version 7.4.
Here's what I get when I try to do a pg_dump of our database:

---------------------------------------------------------------------------------------------------------------------------
[~]$
[ ~]$ /usr/bin/pg_dump dcf_20050404 >& /~/dcf_20050404_`date +%y%m%d`.dmp
audit(1115732852.025:0): avc:  denied  { write } for  pid=11023
exe=/usr/bin/pg_dump path=/~/dcf_20050404_050510.dmp
dev=sda3 ino=5522308 scontext=user_u:system_r:postgresql_t
tcontext=user_u:object_r:file_t tclass=file
audit(1115732852.025:0): avc:  denied  { write } for  pid=11023
exe=/usr/bin/pg_dump path=//~/dcf_20050404_050510.dmp
dev=sda3 ino=5522308 scontext=user_u:system_r:postgresql_t
tcontext=user_u:object_r:file_t tclass=file
audit(1115732852.028:0): avc:  denied  { search } for  pid=11023
exe=/usr/bin/pg_dump name=/ dev=sda3 ino=2
scontext=user_u:system_r:postgresql_t tcontext=system_u:object_r:file_t
tclass=dir
[ ~]$

----------------------------------------------------------------------------------------------------------------------------
Here's Postgres rpm on the machine in question:

----------------------------------------------------------------------------------------------------------------------------
[~]$ rpm -qa | egrep postgres
postgresql-tcl-7.4.6-1.RHEL4.2
postgresql-pl-7.4.6-1.RHEL4.2
postgresql-docs-7.4.6-1.RHEL4.2
postgresql-odbc-7.3-8
postgresql-7.4.6-1.RHEL4.2
postgresql-server-7.4.6-1.RHEL4.2
postgresql-test-7.4.6-1.RHEL4.2
postgresql-libs-7.4.6-1.RHEL4.2
postgresql-jdbc-7.4.6-1.RHEL4.2
postgresql-python-7.4.6-1.RHEL4.2
postgresql-contrib-7.4.6-1.RHEL4.2
postgresql-devel-7.4.6-1.RHEL4.2
[~]$

----------------------------------------------------------------------------------------------------------------------------

"Jimmie H. Apsey" <japsey@futuredental.com> writes:

> This may be my second posting but I think I've done it correctly this time.
> At this point, I am unable to do a pg_dump using our new Rec Hat
> Enterprise Linux AS 4 version of Postgres which is version 7.4.
> Here's what I get when I try to do a pg_dump of our database:
>
---------------------------------------------------------------------------------------------------------------------------
> [~]$
> [ ~]$ /usr/bin/pg_dump dcf_20050404 >& /~/dcf_20050404_`date +%y%m%d`.dmp
> audit(1115732852.025:0): avc:  denied  { write } for  pid=11023
> exe=/usr/bin/pg_dump path=/~/dcf_20050404_050510.dmp
> dev=sda3 ino=5522308 scontext=user_u:system_r:postgresql_t
> tcontext=user_u:object_r:file_t tclass=file

Looks like your security settings aren't allowing pg_dump to write
files.  You should probably talk to Red Hat about how to fix them.

-Doug

"Jimmie H. Apsey" <japsey@futuredental.com> writes:
> At this point, I am unable to do a pg_dump using our new Rec Hat
> Enterprise Linux AS 4 version of Postgres which is version 7.4.
> Here's what I get when I try to do a pg_dump of our database:

> [ ~]$ /usr/bin/pg_dump dcf_20050404 >& /~/dcf_20050404_`date +%y%m%d`.dmp
> audit(1115732852.025:0): avc:  denied  { write } for  pid=11023
> exe=/usr/bin/pg_dump path=/~/dcf_20050404_050510.dmp
> dev=sda3 ino=5522308 scontext=user_u:system_r:postgresql_t
> tcontext=user_u:object_r:file_t tclass=file

Hmm, what is the SELinux labeling for pg_dump?  Try

$ ls -Z /usr/bin/pg_dump
-rwxr-xr-x  root     root     system_u:object_r:bin_t          /usr/bin/pg_dump

If you get something other than that, try "/sbin/restorecon -R /usr/bin"
as root; if that doesn't fix it, you probably need to update your
SELinux policy (RPM selinux-policy-targeted).  I am not entirely sure
whether a policy RPM update automatically does the equivalent of
"/sbin/restorecon -R /", but if you don't see the right context after
an update, that's what I'd suggest.

> Here's Postgres rpm on the machine in question:
> postgresql-7.4.6-1.RHEL4.2
> postgresql-server-7.4.6-1.RHEL4.2

I think that was what went out on the RHEL4 CD-ROMs, but why aren't you
running up2date?  There are serious known bugs in that version.  If
you're paying Red Hat for support, you should be using that support ;-)

            regards, tom lane

Tom Lane wrote:

>"Jimmie H. Apsey" <japsey@futuredental.com> writes:
>
>
>>At this point, I am unable to do a pg_dump using our new Rec Hat
>>Enterprise Linux AS 4 version of Postgres which is version 7.4.
>>Here's what I get when I try to do a pg_dump of our database:
>>
>>
>
>
>
>>[ ~]$ /usr/bin/pg_dump dcf_20050404 >& /~/dcf_20050404_`date +%y%m%d`.dmp
>>audit(1115732852.025:0): avc:  denied  { write } for  pid=11023
>>exe=/usr/bin/pg_dump path=/~/dcf_20050404_050510.dmp
>>dev=sda3 ino=5522308 scontext=user_u:system_r:postgresql_t
>>tcontext=user_u:object_r:file_t tclass=file
>>
>>
>
>Hmm, what is the SELinuxWe disabled
>the SELinux protection for the postgres deamon and were able to
>successfully run pg_dump on our new Red Hat Enterprise Linux AS 4
>postgres.  Do you have any opinion about this 'fix'?
>
>
>
>Jim Apsey labeling for pg_dump?  Try
>
>$ ls -Z /usr/bin/pg_dump
>-rwxr-xr-x  root     root     system_u:object_r:bin_t          /usr/bin/pg_dump
>
>If you get something other than that, try "/sbin/restorecon -R /usr/bin"
>as root; if that doesn't fix it, you probably need to update your
>SELinux policy (RPM selinux-policy-targeted).  I am not entirely sure
>whether a policy RPM update automatically does the equivalent of
>"/sbin/restorecon -R /", but if you don't see the right context after
>an update, that's what I'd suggest.
>
>
>
>>Here's Postgres rpm on the machine in question:
>>postgresql-7.4.6-1.RHEL4.2
>>postgresql-server-7.4.6-1.RHEL4.2
>>
>>
>
>I think that was what went out on the RHEL4 CD-ROMs, but why aren't you
>running up2date?  There are serious known bugs in that version.  If
>you're paying Red Hat for support, you should be using that support ;-)
>
>            regards, tom lane
>
>
>
> Thank you once again Tom Lane.  We disabled the SELinux protection for
> the postgres daemon and were able to successfully run pg_dump on our
> new Red Hat Enterprise Linux AS 4 postgres.  Do you have any opinion
> about this 'fix'?  We have hired a Linux professional and he installed
> AS 4 on our new Dell Server.  I don't know how we keep things
> up-to-date with up2date anymore.
>
> Jim Apsey