[Pljava-dev] Problems with SELinux and PL/Java

Hi all,

I'm having troubles using PL/Java on a Red Hat Linux 5.5 64-bit system.
The Problems are related to missing file rights/rules in SELinux.
As long as SELinux is set to enforce Postgres/Java is complaining about
not being able to read jar files and other files necessary to the
application.

For Example:
IO Exception:/home/dspace/dspace/config/stats/GeoIP.dat (Permission
denied)
java.io.FileNotFoundException:
/home/dspace/dspace/config/stats/GeoIP.dat (Permission denied)
at java.io.RandomAccessFile.open(Native Method)
at java.io.RandomAccessFile.<init>(RandomAccessFile.java:212)
...

Sadly the messages and audit.log are of no help, since they don't record
any trouble with enforcing SELinux.
But as stated above if I turn off SELinux everything works fine.
The problem with permissive/turned off SELinux is, that the department
responsible for the servers is not happy with the prospect of having it
turned off.
So far the only partly working solution I've found is putting the jars
in the /var/lib/pgsql/data/ directory, and I mean putting them there,
symbolic links didn't work for me.
Since I don't want to have the same files in many locations I'd
appreciate any hints on rules/file rights for SELinux, to solve this
problem.

Regards,
Wolfgang

........................................................................
.................................................................
WOLFGANG RIESE
IT Development

ZBW - German National Library of Economics
Leibniz Information Centre for Economics
Neuer Jungfernstieg 21

D-20354 Hamburg

T: +49 (0)40 428 34-240
E: w.riese at zbw.eu
Raum 415

http://www.zbw.eu
http://www.econstor.eu
........................................................................
.................................................................

Ask EconDesk, the information service of the ZBW: www.zbw.eu
........................................................................
.................................................................

Hi,

On Fri, 18 Feb 2011 09:07:40 -0000, Riese Wolfgang <W.Riese at zbw.eu> wrote:

> So far the only partly working solution I've found is putting the jars
> in the /var/lib/pgsql/data/ directory, and I mean putting them there,
> symbolic links didn't work for me.

Usually jars are put in the database with the sqlj.install_jar() function,
but I presume you have a reason to have them elsewhere?

> Since I don't want to have the same files in many locations I'd
> appreciate any hints on rules/file rights for SELinux, to solve this
> problem.

The user/role the Postgres server is running as will need read access to
these files. If you can read these files as the postgres user (as it's
traditionally called) and it still doesn't work with SELinux on then you
need to somehow tune the server process rights. Sadly I have no idea how
to configure SELinux itself.

--
Johann Oskarsson http://www.2ndquadrant.com/ |[]
PostgreSQL Development, 24x7 Support, Training and Services --+--
|
Blog: http://my.opera.com/myrkraverk/blog/

On Mon, 21 Feb 2011 08:44:10 -0000, Riese Wolfgang <W.Riese at zbw.eu> wrote:

> Hi,
>
> thank you for your answer.

>> Usually jars are put in the database with the sqlj.install_jar()
>> function,
>> but I presume you have a reason to have them elsewhere?

> Ok, I was led to believe that the jars would always be loaded from disk,
> since the table "jar_repository" records the filespace origin of the
> jars, my mistake.

> But that leaves me with the problem that the GeoIP Api can't access it's
> data file, while SELinux is turned on.

Can you check that the postgres' server user can read the data file? That
is, the Linux user/role the server is run as. You can check with the head
or od commands for example.

--
Johann Oskarsson http://www.2ndquadrant.com/ |[]
PostgreSQL Development, 24x7 Support, Training and Services --+--
|
Blog: http://my.opera.com/myrkraverk/blog/