Does selinux check context on the whole directory hierarchy when making a decision about permission to enter a directory? That is, when I try to access /home/Data/pgsql, will it check the context on /home, then /home/Data, and then on /home/Data/pgsql? Or will it only check the context on /home/Data/pgsql?
I want to put a Postgres database in a /home/Data/pgsql/data directory, but the initrc script will not run it there. I can run it as the postgres user. The contexts mirror the /var/lib/pgsql/data directory: user_u:object_r:postgres_db_t. The context of /home/Data/pgsql is system_u:object_r:var_lib_t.
It does run fine with initrc in /var/lib/pgsql. When I leave the pgstartup.log in /var/lib/pgsql, I see the errors below. It doesn't matter whether the database is already initialized or not. The contexts for the /home/Data/pgsql directory are listed below as well. /home/Data is system_u:object_r:user_home_dir_t.
I don't see anything in /var/log/audit/audit.log, but I think dontaudit rules may be in effect.
Does Fedora use the reference policy from Tresys exactly? If not, where can I find the source policy for Fedora. All I can find are the if files.
Finally, are there any better references for selinux. Everything I've read seems dated.
Thanks, Jim Young
pgstartup.log: ------------------------- could not change directory to "/home/Data/pgsql" initdb: could not access directory "/home/Data/pgsql/data": Permission denied The files belonging to this database system will be owned by user "postgres". This user must also own the server process.
The database cluster will be initialized with locale en_US.UTF-8. The default database encoding has accordingly been set to UTF8.
postmaster cannot access the server configuration file "/home/Data/pgsql/data/postgresql.conf": Permission denied could not change directory to "/home/Data/pgsql" initdb: could not access directory "/home/Data/pgsql/data": Permission denied The files belonging to this database system will be owned by user "postgres". This user must also own the server process.
The database cluster will be initialized with locale en_US.UTF-8. The default database encoding has accordingly been set to UTF8.
postmaster cannot access the server configuration file "/home/Data/pgsql/data/postgresql.conf": Permission denied -----------
directory contexts: ------------------------------- ls -Zd /home/Data/pgsql drwx------ postgres postgres system_u:object_r:var_lib_t /home/Data/pgsql
ls -Z /home/Data/pgsql drwx------ postgres postgres system_u:object_r:var_lib_t backups drwx------ postgres postgres system_u:object_r:postgresql_db_t data -rw------- postgres postgres system_u:object_r:postgresql_log_t pgstartup.log
ls -Z /home/Data/pgsql/data drwx------ postgres postgres user_u:object_r:postgresql_db_t base drwx------ postgres postgres user_u:object_r:postgresql_db_t global drwx------ postgres postgres user_u:object_r:postgresql_db_t pg_clog -rw------- postgres postgres user_u:object_r:postgresql_db_t pg_hba.conf -rw------- postgres postgres user_u:object_r:postgresql_db_t pg_ident.conf drwx------ postgres postgres user_u:object_r:postgresql_db_t pg_log drwx------ postgres postgres user_u:object_r:postgresql_db_t pg_multixact drwx------ postgres postgres user_u:object_r:postgresql_db_t pg_subtrans drwx------ postgres postgres user_u:object_r:postgresql_db_t pg_tblspc drwx------ postgres postgres user_u:object_r:postgresql_db_t pg_twophase -rw------- postgres postgres user_u:object_r:postgresql_db_t PG_VERSION drwx------ postgres postgres user_u:object_r:postgresql_db_t pg_xlog -rw------- postgres postgres user_u:object_r:postgresql_db_t postgresql.conf -rw------- postgres postgres user_u:object_r:postgresql_db_t postmaster.opts
James Young wrote:
Does selinux check context on the whole directory hierarchy when making a decision about permission to enter a directory? That is, when I try to access /home/Data/pgsql, will it check the context on /home, then /home/Data, and then on /home/Data/pgsql? Or will it only check the context on /home/Data/pgsql?
I want to put a Postgres database in a /home/Data/pgsql/data directory, but the initrc script will not run it there. I can run it as the postgres user. The contexts mirror the /var/lib/pgsql/data directory: user_u:object_r:postgres_db_t. The context of /home/Data/pgsql is system_u:object_r:var_lib_t.
The whole hierarchy must be readable. Putting server data under /home always causes problems. I'd suggest bind mounting /home/Data/pgsql to /var/lib/pgsql or something similar.
You could change the context type of /home/Data to var_t but you'd probably still have issues with /home itself.
Does Fedora use the reference policy from Tresys exactly? If not, where can I find the source policy for Fedora. All I can find are the if files.
The selinux-policy SRPM.
Finally, are there any better references for selinux. Everything I've read seems dated.
http://fedoraproject.org/wiki/SELinux is a decent starting point.
Paul.
Sorry it took me so long to reply back. It's been a busy weekend.
Bind mounting worked. I actually changed /home/ to /Data and bind mounted /home/ onto /Data/home and then created /Data/pgsql, changing the default context to those of /var/lib/pgsql. That didn't work, even when I changed /Data to system_u:object_r:var_t, /Data/pgsql to system_u:object_r:var_lib_t, and /Data/pgsql/data to system_u:object_r:postgresql_db_t. I thought maybe selinux only allowed transition to var_lib_t from var_t, and then to postgres_db_t from var_lib_t. Is that how it works with the directory hierarchy?
Anyway, I moved /var/lib/pgsql /var/lib/pgsql.bk, bind mounted /Data/pgsql/ to /var/lib/pgsql and remove /etc/sysconfig/pgsql/postgresql. That worked. I just hope the developers don't see stuff like that as a security hole and fix it.
Have they changed the wiki? It seems like they have more useful info in there, than what I've found in the past. Then again, most of my visits to the wiki were from Google links. Maybe I just needed to visit the home page.
Thanks for all your help. Jim Young
On 1/12/07, Paul Howarth paul@city-fan.org wrote:
James Young wrote:
Does selinux check context on the whole directory hierarchy when making
a
decision about permission to enter a directory? That is, when I try to access /home/Data/pgsql, will it check the context on /home, then /home/Data, and then on /home/Data/pgsql? Or will it only check the
context
on /home/Data/pgsql?
I want to put a Postgres database in a /home/Data/pgsql/data directory,
but
the initrc script will not run it there. I can run it as the postgres
user.
The contexts mirror the /var/lib/pgsql/data directory: user_u:object_r:postgres_db_t. The context of /home/Data/pgsql is system_u:object_r:var_lib_t.
The whole hierarchy must be readable. Putting server data under /home always causes problems. I'd suggest bind mounting /home/Data/pgsql to /var/lib/pgsql or something similar.
You could change the context type of /home/Data to var_t but you'd probably still have issues with /home itself.
Does Fedora use the reference policy from Tresys exactly? If not, where
can
I find the source policy for Fedora. All I can find are the if files.
The selinux-policy SRPM.
Finally, are there any better references for selinux. Everything I've
read
seems dated.
http://fedoraproject.org/wiki/SELinux is a decent starting point.
Paul.
selinux@lists.fedoraproject.org