Alan M. Evans wrote:
On Tue, 2006-05-30 at 10:48, Paul Howarth wrote:
> Alan M. Evans wrote:
>> On Tue, 2006-05-30 at 09:10, Paul Howarth wrote:
>> [ ... ]
>>> If that's all you have, it shouldn't be difficult to fix.
>>>
>>> Set yourself up for making local policy modules:
>>>
>>> # yum install checkpolicy
>>> # cd /root
>>> # mkdir selinux.local
>>> # cd selinux.local
>>> # chcon -R -t usr_t .
>>> # ln -s /usr/share/selinux/devel/Makefile .
>>>
>>> Make a local policy module for this issue, in this directory:
>>>
>>> 1. Create a file postgresql.te with this content:
>>>
>>> module postgresql 0.1;
>>>
>>> require {
>>> class dir search;
>>> class lnk_file read;
>>>
>>> type home_root_t;
>>> type postgresql_t;
>>> type var_lib_t;
>>> };
>>>
>>> # Allow postgresql to read /var/lib/pgsql -> /home/pgsql symlink
>>> # if present
>>> allow postgresql_t var_lib_t:lnk_file read;
>>>
>>> # Allow postgresql to search directory /home
>>> allow postgresql_t home_root_t:dir search;
>>>
>>> 2. Create a file postgresql.fc with this content:
>>>
>>> /home/pgsql -d
>>> gen_context(system_u:object_r:var_lib_t,s0)
>>> /home/pgsql/data(/.*)?
>>> gen_context(system_u:object_r:postgresql_db_t,s0)
>>> /home/pgsql/pgstartup.log --
>>> gen_context(system_u:object_r:postgresql_log_t,s0)
>>>
>>> (that's three long lines)
>>>
>>> 3. Create an empty postgresql.if file:
>>>
>>> # touch postgresql.if
>>>
>>> 4. Build the policy module
>>>
>>> # make
>>>
>>> Install your new policy module:
>>>
>>> # semodule -i postgresql.pp
>>>
>>> Fix file contexts:
>>>
>>> # restorecon -Rv /home/pgsql
>>>
>>> Hopefully that should get you going in enforcing mode.
>> Well, that restorecon set all the contexts back to user_home_t. Ugh.
> Ugh indeed. My fix is incomplete. Can you post the output of:
> # semanage fcontext -l | grep pgsql
Sure:
# semanage fcontext -l | grep pgsql
/usr/lib/pgsql/test/regress/pg_regress regular file
system_u:object_r:postgresql_exec_t:s0
/var/lib/pgsql/data(/.*)? all files
system_u:object_r:postgresql_db_t:s0
/home/pgsql/pgstartup.log regular file
system_u:object_r:postgresql_log_t:s0
/var/lib/pgsql/pgstartup.log all files
system_u:object_r:postgresql_log_t:s0
/usr/share/jonas/pgsql(/.*)? all files
system_u:object_r:postgresql_db_t:s0
/home/pgsql directory
system_u:object_r:var_lib_t:s0
/home/pgsql/data(/.*)? all files
system_u:object_r:postgresql_db_t:s0
/usr/lib/pgsql/test/regress/.*\.sh regular file
system_u:object_r:bin_t:s0
/usr/lib/pgsql/test/regres(/.*)? all files
system_u:object_r:postgresql_db_t:s0
> I trust that /home/pgsql is not some user's home directory?
That is correct.
It appears that there is no easy fix for this problem, other than moving
the data somewhere other than under /home:
http://www.redhat.com/archives/fedora-selinux-list/2006-May/msg00253.html
Paul.