SELinux permission problem with postgresql PMDA

To:	Nathan Scott <nathans@xxxxxxxxxx>
Subject:	SELinux permission problem with postgresql PMDA
From:	Tadej JaneÅ <tadej.j@xxxxxx>
Date:	Wed, 09 Sep 2015 16:56:44 +0200
Cc:	pcp@xxxxxxxxxxx
Delivered-to:	pcp@xxxxxxxxxxx
In-reply-to:	<1081768492.27829618.1441683664673.JavaMail.zimbra@xxxxxxxxxx>
References:	<1441613884.8358.33.camel@tlinux64> <1081768492.27829618.1441683664673.JavaMail.zimbra@xxxxxxxxxx>

Hi Nathan!

On Mon, 2015-09-07 at 23:41 -0400, Nathan Scott wrote:
> I've added some pmlogconf(1) files for nginx (as well as memcached and
> elasticsearch) for the next PCP release - when these PMDAs are active
> the metrics should be logged automatically now.

Great, thanks!

> > On the database server hosts I enabled postgresql PMDA, which provides
> > a ton of additional metrics. I would like to extend pmlogger's
> > configuration for these hosts to also log the postgresql' metrics.
> 
> This should have happened automatically for several metrics from your
> database hosts - for /var/lib/pcp/config/pmlogconf/postgresql/summary
> metrics, that is - did that not happen?  On my local postgresql setup
> it appears to be working correctly (this is a straight pmlogger setup
> though, no pmmgr involved - but that shouldn't make much difference).

Indeed, pmlogconf picked up the postgresql metrics. However, I wasn't
able to see the metrics due to postgresql PMDA failing due permission
problems.

Here are the contents from /var/log/pcp/pmcd/postgresql.log:
[...]
[Wed Sep  9 14:36:09] pmdapostgresql(5088) Info: connect to DB
dbi:Pg:dbname=postgres as user postgres
DBI connect('dbname=postgres','postgres',...) failed: could not connect
to server: Permission denied
        Is the server running locally and accepting
        connections on Unix domain socket
"/var/run/postgresql/.s.PGSQL.5432"?
at /var/lib/pcp/pmdas/postgresql/pmdapostgresql.pl line 271.
[...]

Here are the relevant contents from /var/log/audit/audit.log:
[...]
type=AVC msg=audit(1441809789.805:1589): avc:  denied  { search } for
pid=5088 comm="perl" name="pgsql" dev="sda1" ino=15399
scontext=system_u:system_r:pcp_pmcd_t:s0
tcontext=system_u:object_r:postgresql_db_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1441809789.805:1590): avc:  denied  { write } for
pid=5088 comm="perl" name=".s.PGSQL.5432" dev="tmpfs" ino=20492
scontext=system_u:system_r:pcp_pmcd_t:s0
tcontext=system_u:object_r:postgresql_var_run_t:s0 tclass=sock_file
permissive=0
[...]

I can confirm this is a SELinux problem, since executing "setenforce 0"
temporarily fixes the problem.

This is a vanilla Fedora 22 machine with:
postgresql-9.4.4-1.fc22.x86_64
pcp-3.10.6-1.fc22.x86_64
pcp-pmda-postgresql-3.10.6-1.fc22.x86_64
selinux-policy-targeted-3.13.1-122.fc22.noarch
perl-DBD-Pg-3.5.1-1.fc22.x86_64

If you prefer, I can file a proper bug report, just tell me where to.

Best regards,
Tadej

<Prev in Thread]	Current Thread	[Next in Thread>
Re: How to extend pmlogger's default configuration when using pmmgr, (continued) Re: How to extend pmlogger's default configuration when using pmmgr, Frank Ch. Eigler nginx PMDA error, Tadej JaneÅ Re: nginx PMDA error, Frank Ch. Eigler Re: [pcp] nginx PMDA error, Tadej JaneÅ Re: [pcp] nginx PMDA error, Nathan Scott Re: [pcp] nginx PMDA error, Tadej JaneÅ Re: [pcp] nginx PMDA error, Nathan Scott Re: [pcp] nginx PMDA error, Tadej JaneÅ Re: [pcp] nginx PMDA error, Nathan Scott Re: [pcp] How to extend pmlogger's default configuration, Nathan Scott SELinux permission problem with postgresql PMDA, Tadej JaneÅ <= Re: [pcp] SELinux permission problem with postgresql PMDA, Tadej JaneÅ

Previous by Date:	Re: How to extend pmlogger's default configuration when using pmmgr, Frank Ch. Eigler
Next by Date:	nginx PMDA error, Tadej JaneÅ
Previous by Thread:	Re: [pcp] How to extend pmlogger's default configuration, Nathan Scott
Next by Thread:	Re: [pcp] SELinux permission problem with postgresql PMDA, Tadej JaneÅ
Indexes:	[Date] [Thread] [Top] [All Lists]