On Tue, 2006-05-30 at 09:10, Paul Howarth wrote:
[ ... ]
If that's all you have, it shouldn't be difficult to fix.
Set yourself up for making local policy modules:
# yum install checkpolicy
# cd /root
# mkdir selinux.local
# cd selinux.local
# chcon -R -t usr_t .
# ln -s /usr/share/selinux/devel/Makefile .
Make a local policy module for this issue, in this directory:
1. Create a file postgresql.te with this content:
module postgresql 0.1;
require {
class dir search;
class lnk_file read;
type home_root_t;
type postgresql_t;
type var_lib_t;
};
# Allow postgresql to read /var/lib/pgsql -> /home/pgsql symlink
# if present
allow postgresql_t var_lib_t:lnk_file read;
# Allow postgresql to search directory /home
allow postgresql_t home_root_t:dir search;
2. Create a file postgresql.fc with this content:
/home/pgsql -d
gen_context(system_u:object_r:var_lib_t,s0)
/home/pgsql/data(/.*)?
gen_context(system_u:object_r:postgresql_db_t,s0)
/home/pgsql/pgstartup.log --
gen_context(system_u:object_r:postgresql_log_t,s0)
(that's three long lines)
3. Create an empty postgresql.if file:
# touch postgresql.if
4. Build the policy module
# make
Install your new policy module:
# semodule -i postgresql.pp
Fix file contexts:
# restorecon -Rv /home/pgsql
Hopefully that should get you going in enforcing mode.
Well, that restorecon set all the contexts back to user_home_t. Ugh.
After recursively setting the data directory to postgresql_db_t and the
logfile to postgresql_log_t, service starts up without complaint. So
then:
postgresql started... check
database located under /home/pgsql... check
SELinux enforcing... yep
postgresql service not excluded... yes
read and write data to db... YES!
Excellent. I presume I should keep these SELinux policy source files in
a safe place in case this configuration is required again.
Thank you so much for your assistance! I have one final question. Do you
have any recommendations for decent documentation on SELinux
administration? Online is alright, but book recommendations are
perfectly welcome.
I hope to avoid having to go through this in the future. My goal is
really to understand the process. Right now, all I can do is describe
the problem and hope someone can walk me through the solution as you
have done. (I learn well from examples, so I know much more now that
I've at least gone through it.)
-Alan