6:07 a.m.
Does selinux check context on the whole directory hierarchy when making a
decision about permission to enter a directory? That is, when I try to
access /home/Data/pgsql, will it check the context on /home, then
/home/Data, and then on /home/Data/pgsql? Or will it only check the context
on /home/Data/pgsql?
I want to put a Postgres database in a /home/Data/pgsql/data directory, but
the initrc script will not run it there. I can run it as the postgres user.
The contexts mirror the /var/lib/pgsql/data directory:
user_u:object_r:postgres_db_t. The context of /home/Data/pgsql is
system_u:object_r:var_lib_t.
It does run fine with initrc in /var/lib/pgsql. When I leave the
pgstartup.log in /var/lib/pgsql, I see the errors below. It doesn't matter
whether the database is already initialized or not. The contexts for the
/home/Data/pgsql directory are listed below as well. /home/Data is
system_u:object_r:user_home_dir_t.
I don't see anything in /var/log/audit/audit.log, but I think dontaudit
rules may be in effect.
Does Fedora use the reference policy from Tresys exactly? If not, where can
I find the source policy for Fedora. All I can find are the if files.
Finally, are there any better references for selinux. Everything I've read
seems dated.
Thanks,
Jim Young
pgstartup.log:
-------------------------
could not change directory to "/home/Data/pgsql"
initdb: could not access directory "/home/Data/pgsql/data": Permission
denied
The files belonging to this database system will be owned by user
"postgres".
This user must also own the server process.
The database cluster will be initialized with locale en_US.UTF-8.
The default database encoding has accordingly been set to UTF8.
postmaster cannot access the server configuration file
"/home/Data/pgsql/data/postgresql.conf": Permission denied
could not change directory to "/home/Data/pgsql"
initdb: could not access directory "/home/Data/pgsql/data": Permission
denied
The files belonging to this database system will be owned by user
"postgres".
This user must also own the server process.
The database cluster will be initialized with locale en_US.UTF-8.
The default database encoding has accordingly been set to UTF8.
postmaster cannot access the server configuration file
"/home/Data/pgsql/data/postgresql.conf": Permission denied
-----------
directory contexts:
-------------------------------
ls -Zd /home/Data/pgsql
drwx------ postgres postgres system_u:object_r:var_lib_t
/home/Data/pgsql
ls -Z /home/Data/pgsql
drwx------ postgres postgres system_u:object_r:var_lib_t backups
drwx------ postgres postgres system_u:object_r:postgresql_db_t data
-rw------- postgres postgres system_u:object_r:postgresql_log_t
pgstartup.log
ls -Z /home/Data/pgsql/data
drwx------ postgres postgres user_u:object_r:postgresql_db_t base
drwx------ postgres postgres user_u:object_r:postgresql_db_t global
drwx------ postgres postgres user_u:object_r:postgresql_db_t pg_clog
-rw------- postgres postgres user_u:object_r:postgresql_db_t pg_hba.conf
-rw------- postgres postgres user_u:object_r:postgresql_db_t pg_ident.conf
drwx------ postgres postgres user_u:object_r:postgresql_db_t pg_log
drwx------ postgres postgres user_u:object_r:postgresql_db_t pg_multixact
drwx------ postgres postgres user_u:object_r:postgresql_db_t pg_subtrans
drwx------ postgres postgres user_u:object_r:postgresql_db_t pg_tblspc
drwx------ postgres postgres user_u:object_r:postgresql_db_t pg_twophase
-rw------- postgres postgres user_u:object_r:postgresql_db_t PG_VERSION
drwx------ postgres postgres user_u:object_r:postgresql_db_t pg_xlog
-rw------- postgres postgres user_u:object_r:postgresql_db_t
postgresql.conf
-rw------- postgres postgres user_u:object_r:postgresql_db_t
postmaster.opts
6:39 a.m.
James Young wrote:
Does selinux check context on the whole directory hierarchy when
making a
decision about permission to enter a directory? That is, when I try to
access /home/Data/pgsql, will it check the context on /home, then
/home/Data, and then on /home/Data/pgsql? Or will it only check the context
on /home/Data/pgsql?
I want to put a Postgres database in a /home/Data/pgsql/data directory, but
the initrc script will not run it there. I can run it as the postgres user.
The contexts mirror the /var/lib/pgsql/data directory:
user_u:object_r:postgres_db_t. The context of /home/Data/pgsql is
system_u:object_r:var_lib_t.
The whole hierarchy must be readable. Putting server data under /home
always causes problems. I'd suggest bind mounting /home/Data/pgsql to
/var/lib/pgsql or something similar.
You could change the context type of /home/Data to var_t but you'd
probably still have issues with /home itself.
Does Fedora use the reference policy from Tresys exactly? If not,
where can
I find the source policy for Fedora. All I can find are the if files.
The selinux-policy SRPM.
Finally, are there any better references for selinux. Everything
I've read
seems dated.
http://fedoraproject.org/wiki/SELinux is a decent starting point.
Paul.
4:09 a.m.
Sorry it took me so long to reply back. It's been a busy weekend.
Bind mounting worked. I actually changed /home/ to /Data and bind mounted
/home/ onto /Data/home and then created /Data/pgsql, changing the default
context to those of /var/lib/pgsql. That didn't work, even when I changed
/Data to system_u:object_r:var_t, /Data/pgsql to
system_u:object_r:var_lib_t, and /Data/pgsql/data to
system_u:object_r:postgresql_db_t. I thought maybe selinux only allowed
transition to var_lib_t from var_t, and then to postgres_db_t from
var_lib_t. Is that how it works with the directory hierarchy?
Anyway, I moved /var/lib/pgsql /var/lib/pgsql.bk, bind mounted /Data/pgsql/
to /var/lib/pgsql and remove /etc/sysconfig/pgsql/postgresql. That worked. I
just hope the developers don't see stuff like that as a security hole and
fix it.
Have they changed the wiki? It seems like they have more useful info in
there, than what I've found in the past. Then again, most of my visits to
the wiki were from Google links. Maybe I just needed to visit the home page.
Thanks for all your help.
Jim Young
On 1/12/07, Paul Howarth <paul(a)city-fan.org> wrote:
James Young wrote:
> Does selinux check context on the whole directory hierarchy when making
a
> decision about permission to enter a directory? That is, when I try to
> access /home/Data/pgsql, will it check the context on /home, then
> /home/Data, and then on /home/Data/pgsql? Or will it only check the
context
> on /home/Data/pgsql?
>
> I want to put a Postgres database in a /home/Data/pgsql/data directory,
but
> the initrc script will not run it there. I can run it as the postgres
user.
> The contexts mirror the /var/lib/pgsql/data directory:
> user_u:object_r:postgres_db_t. The context of /home/Data/pgsql is
> system_u:object_r:var_lib_t.
The whole hierarchy must be readable. Putting server data under /home
always causes problems. I'd suggest bind mounting /home/Data/pgsql to
/var/lib/pgsql or something similar.
You could change the context type of /home/Data to var_t but you'd
probably still have issues with /home itself.
> Does Fedora use the reference policy from Tresys exactly? If not, where
can
> I find the source policy for Fedora. All I can find are the if files.
The selinux-policy SRPM.
> Finally, are there any better references for selinux. Everything I've
read
> seems dated.
http://fedoraproject.org/wiki/SELinux is a decent starting point.
Paul.
6311
days inactive
6314
days old
selinux@lists.fedoraproject.org
2 comments
2 participants
participants (2)
-
James Young -
Paul Howarth