1 |
On Thu, Apr 26, 2012 at 07:46:10AM +0200, J. Roeleveld wrote: |
2 |
> On Mon, April 23, 2012 3:21 pm, napalm@××××××××××.org wrote: |
3 |
> > I'm unsure if I should be posting this to the -hardened mailing list as |
4 |
> > I'm using the hardened profile but all of a sudden I'm getting a rather |
5 |
> > strange error when trying to start postgres. |
6 |
> > |
7 |
> > # /etc/init.d/postgresql-9.1 start |
8 |
> > * Caching service dependencies ... [ |
9 |
> > ok ] |
10 |
> > * The following file(s) are not readable by 'postgres': |
11 |
> > * /etc/postgresql-9.1/postgresql.conf |
12 |
> > * /etc/postgresql-9.1/pg_ident.conf |
13 |
> > * /etc/postgresql-9.1/pg_hba.conf |
14 |
> > * HINT: Try: 'chmod 644 /etc/postgresql-9.1/*.conf' |
15 |
> > * ERROR: postgresql-9.1 failed to start |
16 |
> > |
17 |
> > That's what I'm getting when I attempt to start it and I don't seem to |
18 |
> > have modified anything. |
19 |
> > |
20 |
> > Looking into the init script I can see it's doing su postgres -c "test -r |
21 |
> > /etc/postgresql-9.1/pg_hba.conf" and the like but the output of: |
22 |
> > su postgres -c "test -r /etc/postgresql-9.1/pg_hba.conf" || echo "fail" |
23 |
> > is fail... so I'm quite at a loss as to what could be going on here. All |
24 |
> > of the files are owned by postgres, have the correct permissions (I ran |
25 |
> > chmod 644 as it hinted) and it should be able to traverse to the directory |
26 |
> > as everything has the execute bit from /etc onwards. |
27 |
> > |
28 |
> > Any tips? |
29 |
> |
30 |
> I don't have much experience with Hardenened, but are you certain that any |
31 |
> permissions (including ACLs) are set correctly for PostgreSQL to access |
32 |
> all its files? |
33 |
> |
34 |
> Do you have "sec-policy/selinux-postgresql" installed? And did you |
35 |
> re-emerge this after the update? |
36 |
> |
37 |
> -- |
38 |
> Joost |
39 |
> |
40 |
I got things working in the end by deleting everything to do with |
41 |
postgres, re-emerging and then restoring from a backup (it's fine |
42 |
because the database is only updated a few times a day). |
43 |
|
44 |
Still totally confused as to what the issue was. I hadn't been fiddling |
45 |
with permissions or anything at all, didn't even go near the postgres |
46 |
config files and there was no update to postgres so I'm just at a loss. |
47 |
|
48 |
I don't have sec-policy/selinux-postgresql installed, more using PaX and |
49 |
GRSecurity than selinux on my current installation, doubt that would |
50 |
have helped. |
51 |
|
52 |
I'm a bit annoyed that I couldn't solve the issue without doing the sort |
53 |
of "turn it off and on" approach but it has done the trick so I guess |
54 |
that's that. |
55 |
|
56 |
I must have messed something up somewhere. Any guess as to if PAM or a |
57 |
glibc update could have broken it? I wouldn't have thought glibc but I'm |
58 |
a little clueless when it comes to PAM, then again I tried emerging |
59 |
(without deleting everything) with USE="-pam" to no avail. |
60 |
|
61 |
Anyway thanks for the help everyone, sorry I can't give a better |
62 |
diagnosis. I did check strace logs and everything, couldn't locate the |
63 |
error. Blargh! |
64 |
|
65 |
Cheers, |
66 |
David |