-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/09/2013 06:26 AM, Ramkumar Raghavan wrote:
Hi,
I am doing testing of implementing selinux in our application.
I am using RHEL6.2 and the selinux enforced in targeted mode.
All the application/postgresql data is in the NFS mount with all the
contents labeled as nfs_t.
I have given httpd Boolean access to nfs.
When I start the postgres it starts as unconfined_t domain.
ps -eZ | egrep 'httpd|java|postmaster'
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5853 ? 00:00:01
postmaster
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5854 ? 00:00:00
postmaster
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5860 ? 00:00:00
postmaster
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5861 ? 00:00:00
postmaster
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5862 ? 00:00:00
postmaster
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5863 ? 00:00:00
postmaster
unconfined_u:system_r:httpd_t:s0 14794 ? 00:00:00 httpd
unconfined_u:system_r:httpd_t:s0 14796 ? 00:00:00 httpd
unconfined_u:system_r:httpd_t:s0 14797 ? 00:00:00 httpd
unconfined_u:system_r:httpd_t:s0 14798 ? 00:00:18 httpd
unconfined_u:system_r:httpd_t:s0 14799 ? 00:00:00 httpd
unconfined_u:system_r:httpd_t:s0 14800 ? 00:00:00 httpd
unconfined_u:system_r:httpd_t:s0 14801 ? 00:00:00 httpd
unconfined_u:system_r:httpd_t:s0 14802 ? 00:00:00 httpd
unconfined_u:system_r:httpd_t:s0 14803 ? 00:00:00 httpd
unconfined_u:unconfined_r:unconfined_java_t:s0-s0:c0.c1023 14851 ? 00:00:06
java
unconfined_u:unconfined_r:unconfined_java_t:s0-s0:c0.c1023 14978 ? 00:02:57
java
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 16426 ? 00:00:01
postmaster
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 16521 ? 00:00:00
postmaster
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 16522 ? 00:00:00
postmaster
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 16523 ? 00:00:00
postmaster
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 16524 ? 00:00:00
postmaster
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 16525 ? 00:00:00
postmaster
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 16526 ? 00:00:00
postmaster
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 16527 ? 00:00:00
postmaster
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 16528 ? 00:00:00
postmaster
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 16529 ? 00:00:00
postmaster
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 16530 ? 00:00:00
postmaster
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 16633 ? 00:00:00
postmaster
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 16634 ? 00:00:00
postmaster
unconfined_u:system_r:httpd_t:s0 16702 ? 00:00:00 httpd
unconfined_u:unconfined_r:unconfined_java_t:s0-s0:c0.c1023 17129 ? 00:00:06
java
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 17201 ? 00:00:00
postmaster
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 17205 ? 00:00:00
postmaster
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 17206 ? 00:00:00
postmaster
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 17207 ? 00:00:00
postmaster
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 17208 ? 00:00:00
postmaster
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 17209 ? 00:00:00
postmaster
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 17216 ? 00:00:00
postmaster
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 17217 ? 00:00:00
postmaster
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 17218 ? 00:00:00
postmaster
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 17219 ? 00:00:00
postmaster
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 17220 ? 00:00:00
postmaster
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 17221 ? 00:00:00
postmaster
unconfined_u:unconfined_r:unconfined_java_t:s0-s0:c0.c1023 17260 pts/1
00:00:05 java
unconfined_u:system_r:httpd_t:s0 20918 ? 00:00:00 httpd
unconfined_u:system_r:httpd_t:s0 20921 ? 00:00:00 httpd
unconfined_u:system_r:httpd_t:s0 20922 ? 00:00:00 httpd
unconfined_u:unconfined_r:unconfined_java_t:s0-s0:c0.c1023 22851 ? 00:00:13
java
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 22910 ? 00:00:00
postmaster
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 22911 ? 00:00:00
postmaster
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 22912 ? 00:00:00
postmaster
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 22913 ? 00:00:00
postmaster
Please advice if this fine or should I change the it..
-- Ramkumar Raghavan
-- selinux mailing list selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
We don't transition from unconfined_t to postgresql_master_t.
These two blogs should help explain
http://danwalsh.livejournal.com/30084.html
http://danwalsh.livejournal.com/23944.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with undefined -
http://www.enigmail.net/
iEYEARECAAYFAlDtd/gACgkQrlYvE4MpobN1NQCeIz4dJEF2vBC4AKXzfWduH7ph
ATIAnR/B/Eg1lu6OgPnqVi/BoJqy9nnL
=brIS
-----END PGP SIGNATURE-----