avc denied from postgresql

Richard Hally rhally at mindspring.com
Thu Jul 1 12:15:01 UTC 2004


Daniel J Walsh wrote:

> Richard Hally wrote:
> 
>> Yuichi Nakamura wrote:
>>
>>> On Wed, 16 Jun 2004 00:31:58 -0400
>>> Richard Hally <rhallyx at mindspring.com> wrote:
>>>
>>>> With the above change to the postgresql.fc I get the following avc 
>>>> denied messages when booting:
>>>
>>>
>>>
>>> You must add /usr/bin/postgres --    system_u:object_r:postgresql_exec_t
>>> to postgresql.fc
>>> and , comment out session           optional     
>>> /lib/security/$ISA/pam_selinux.so multiple
>>> from /etc/pam.d/su.
>>
>>
>> Thanks for the reply, it looks to me that the problem is more like the 
>> policy and file_contexts were written for the way Debian(or some other 
>> distro) installs PostgresSQL and Fedora installs things differently. 
>> The most notable is that in the .fc it has the only postgresql_exec_t 
>> with a regex for /usr/lib(64)?/postgresql/bin/.* and on Fedora the 
>> executables are in /usr/bin.
>> The question I have is: how do we handle these case where different 
>> distros put the same files in different places? Do we continue to add 
>> to the policy for each different distro?
> 
> 
> Yes we put the stuff in both places.
> 
I added the /usr/bin/postgres postgresql_exec_t file context (and 
relabeled) and it still would not start when booting. Below are the 
allow rules(generated by audit2allow) that were necessary to get the 
server to start. I did not comment out any pam_selinux.so line in 
/etc/pam.d/su. That doesn't seem like the right thing to do.
Thanks,
Richard Hally

allow initrc_su_t postgresql_db_t:dir { search };
allow user_t postgresql_db_t:dir { add_name getattr read remove_name
search write };
allow user_t postgresql_db_t:file { create getattr read rename unlink
write };




More information about the selinux mailing list