Reg. postgres running in unconfined_t after enabling selinux
Daniel J Walsh
dwalsh at redhat.com
Wed Jan 9 14:00:24 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/09/2013 06:26 AM, Ramkumar Raghavan wrote:
> Hi,
>
> I am doing testing of implementing selinux in our application.
>
>
>
> I am using RHEL6.2 and the selinux enforced in targeted mode.
>
>
>
> All the application/postgresql data is in the NFS mount with all the
> contents labeled as nfs_t.
>
>
>
> I have given httpd Boolean access to nfs.
>
>
>
> When I start the postgres it starts as unconfined_t domain.
>
>
>
> ps -eZ | egrep 'httpd|java|postmaster'
>
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5853 ? 00:00:01
> postmaster
>
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5854 ? 00:00:00
> postmaster
>
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5860 ? 00:00:00
> postmaster
>
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5861 ? 00:00:00
> postmaster
>
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5862 ? 00:00:00
> postmaster
>
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5863 ? 00:00:00
> postmaster
>
> unconfined_u:system_r:httpd_t:s0 14794 ? 00:00:00 httpd
>
> unconfined_u:system_r:httpd_t:s0 14796 ? 00:00:00 httpd
>
> unconfined_u:system_r:httpd_t:s0 14797 ? 00:00:00 httpd
>
> unconfined_u:system_r:httpd_t:s0 14798 ? 00:00:18 httpd
>
> unconfined_u:system_r:httpd_t:s0 14799 ? 00:00:00 httpd
>
> unconfined_u:system_r:httpd_t:s0 14800 ? 00:00:00 httpd
>
> unconfined_u:system_r:httpd_t:s0 14801 ? 00:00:00 httpd
>
> unconfined_u:system_r:httpd_t:s0 14802 ? 00:00:00 httpd
>
> unconfined_u:system_r:httpd_t:s0 14803 ? 00:00:00 httpd
>
> unconfined_u:unconfined_r:unconfined_java_t:s0-s0:c0.c1023 14851 ? 00:00:06
> java
>
> unconfined_u:unconfined_r:unconfined_java_t:s0-s0:c0.c1023 14978 ? 00:02:57
> java
>
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 16426 ? 00:00:01
> postmaster
>
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 16521 ? 00:00:00
> postmaster
>
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 16522 ? 00:00:00
> postmaster
>
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 16523 ? 00:00:00
> postmaster
>
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 16524 ? 00:00:00
> postmaster
>
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 16525 ? 00:00:00
> postmaster
>
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 16526 ? 00:00:00
> postmaster
>
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 16527 ? 00:00:00
> postmaster
>
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 16528 ? 00:00:00
> postmaster
>
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 16529 ? 00:00:00
> postmaster
>
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 16530 ? 00:00:00
> postmaster
>
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 16633 ? 00:00:00
> postmaster
>
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 16634 ? 00:00:00
> postmaster
>
> unconfined_u:system_r:httpd_t:s0 16702 ? 00:00:00 httpd
>
> unconfined_u:unconfined_r:unconfined_java_t:s0-s0:c0.c1023 17129 ? 00:00:06
> java
>
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 17201 ? 00:00:00
> postmaster
>
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 17205 ? 00:00:00
> postmaster
>
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 17206 ? 00:00:00
> postmaster
>
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 17207 ? 00:00:00
> postmaster
>
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 17208 ? 00:00:00
> postmaster
>
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 17209 ? 00:00:00
> postmaster
>
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 17216 ? 00:00:00
> postmaster
>
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 17217 ? 00:00:00
> postmaster
>
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 17218 ? 00:00:00
> postmaster
>
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 17219 ? 00:00:00
> postmaster
>
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 17220 ? 00:00:00
> postmaster
>
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 17221 ? 00:00:00
> postmaster
>
> unconfined_u:unconfined_r:unconfined_java_t:s0-s0:c0.c1023 17260 pts/1
> 00:00:05 java
>
> unconfined_u:system_r:httpd_t:s0 20918 ? 00:00:00 httpd
>
> unconfined_u:system_r:httpd_t:s0 20921 ? 00:00:00 httpd
>
> unconfined_u:system_r:httpd_t:s0 20922 ? 00:00:00 httpd
>
> unconfined_u:unconfined_r:unconfined_java_t:s0-s0:c0.c1023 22851 ? 00:00:13
> java
>
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 22910 ? 00:00:00
> postmaster
>
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 22911 ? 00:00:00
> postmaster
>
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 22912 ? 00:00:00
> postmaster
>
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 22913 ? 00:00:00
> postmaster
>
>
>
> Please advice if this fine or should I change the it..
>
>
> -- Ramkumar Raghavan
>
>
>
>
> -- selinux mailing list selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
We don't transition from unconfined_t to postgresql_master_t.
These two blogs should help explain
http://danwalsh.livejournal.com/30084.html
http://danwalsh.livejournal.com/23944.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/
iEYEARECAAYFAlDtd/gACgkQrlYvE4MpobN1NQCeIz4dJEF2vBC4AKXzfWduH7ph
ATIAnR/B/Eg1lu6OgPnqVi/BoJqy9nnL
=brIS
-----END PGP SIGNATURE-----
More information about the selinux
mailing list