avc denied from postgresql
Richard Hally
rhally at mindspring.com
Thu Jul 1 12:15:01 UTC 2004
Daniel J Walsh wrote:
> Richard Hally wrote:
>
>> Yuichi Nakamura wrote:
>>
>>> On Wed, 16 Jun 2004 00:31:58 -0400
>>> Richard Hally <rhallyx at mindspring.com> wrote:
>>>
>>>> With the above change to the postgresql.fc I get the following avc
>>>> denied messages when booting:
>>>
>>>
>>>
>>> You must add /usr/bin/postgres -- system_u:object_r:postgresql_exec_t
>>> to postgresql.fc
>>> and , comment out session optional
>>> /lib/security/$ISA/pam_selinux.so multiple
>>> from /etc/pam.d/su.
>>
>>
>> Thanks for the reply, it looks to me that the problem is more like the
>> policy and file_contexts were written for the way Debian(or some other
>> distro) installs PostgresSQL and Fedora installs things differently.
>> The most notable is that in the .fc it has the only postgresql_exec_t
>> with a regex for /usr/lib(64)?/postgresql/bin/.* and on Fedora the
>> executables are in /usr/bin.
>> The question I have is: how do we handle these case where different
>> distros put the same files in different places? Do we continue to add
>> to the policy for each different distro?
>
>
> Yes we put the stuff in both places.
>
I added the /usr/bin/postgres postgresql_exec_t file context (and
relabeled) and it still would not start when booting. Below are the
allow rules(generated by audit2allow) that were necessary to get the
server to start. I did not comment out any pam_selinux.so line in
/etc/pam.d/su. That doesn't seem like the right thing to do.
Thanks,
Richard Hally
allow initrc_su_t postgresql_db_t:dir { search };
allow user_t postgresql_db_t:dir { add_name getattr read remove_name
search write };
allow user_t postgresql_db_t:file { create getattr read rename unlink
write };
More information about the selinux
mailing list