avc denied from postgresql

Daniel J Walsh dwalsh at redhat.com
Thu Jul 1 11:52:09 UTC 2004


Richard Hally wrote:

> Yuichi Nakamura wrote:
>
>> On Wed, 16 Jun 2004 00:31:58 -0400
>> Richard Hally <rhallyx at mindspring.com> wrote:
>>
>>> With the above change to the postgresql.fc I get the following avc 
>>> denied messages when booting:
>>
>>
>> You must add /usr/bin/postgres --    system_u:object_r:postgresql_exec_t
>> to postgresql.fc
>> and , comment out session           optional     
>> /lib/security/$ISA/pam_selinux.so multiple
>> from /etc/pam.d/su.
>
> Thanks for the reply, it looks to me that the problem is more like the 
> policy and file_contexts were written for the way Debian(or some other 
> distro) installs PostgresSQL and Fedora installs things differently. 
> The most notable is that in the .fc it has the only postgresql_exec_t 
> with a regex for /usr/lib(64)?/postgresql/bin/.* and on Fedora the 
> executables are in /usr/bin.
> The question I have is: how do we handle these case where different 
> distros put the same files in different places? Do we continue to add 
> to the policy for each different distro?
>
> Richard Hally
>
Added the following.  Please check since I know nothing about postgresql.

#
# Files from postgresql
#
/usr/bin/clusterdb    --    system_u:object_r:postgresql_exec_t
/usr/bin/createdb    --    system_u:object_r:postgresql_exec_t
/usr/bin/createlang    --    system_u:object_r:postgresql_exec_t
/usr/bin/createuser    --    system_u:object_r:postgresql_exec_t
/usr/bin/dropdb        --    system_u:object_r:postgresql_exec_t
/usr/bin/droplang    --    system_u:object_r:postgresql_exec_t
/usr/bin/dropuser    --    system_u:object_r:postgresql_exec_t
/usr/bin/pg_dump    --    system_u:object_r:postgresql_exec_t
/usr/bin/pg_dumpall    --    system_u:object_r:postgresql_exec_t
/usr/bin/pg_encoding    --    system_u:object_r:postgresql_exec_t
/usr/bin/pg_id        --    system_u:object_r:postgresql_exec_t
/usr/bin/pg_restore    --    system_u:object_r:postgresql_exec_t
/usr/bin/psql        --    system_u:object_r:postgresql_exec_t
/usr/bin/vacuumdb    --    system_u:object_r:postgresql_exec_t
#
# Files from postgresql-server
#
/usr/bin/initdb        --    system_u:object_r:postgresql_exec_t
/usr/bin/initlocation    --    system_u:object_r:postgresql_exec_t
/usr/bin/ipcclean    --    system_u:object_r:postgresql_exec_t
/usr/bin/pg_controldata    --    system_u:object_r:postgresql_exec_t
/usr/bin/pg_ctl        --    system_u:object_r:postgresql_exec_t
/usr/bin/pg_resetxlog    --    system_u:object_r:postgresql_exec_t
/usr/bin/postgres    --    system_u:object_r:postgresql_exec_t
/usr/bin/postmaster    --    system_u:object_r:postgresql_exec_t



>
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> http://www.redhat.com/mailman/listinfo/fedora-selinux-list





More information about the selinux mailing list