avc denied from postgresql

Daniel J Walsh dwalsh at redhat.com
Thu Jul 1 12:21:15 UTC 2004


Richard Hally wrote:

> Daniel J Walsh wrote:
>
>> Richard Hally wrote:
>>
>>> Yuichi Nakamura wrote:
>>>
>>>> On Wed, 16 Jun 2004 00:31:58 -0400
>>>> Richard Hally <rhallyx at mindspring.com> wrote:
>>>>
>>>>> With the above change to the postgresql.fc I get the following avc 
>>>>> denied messages when booting:
>>>>
>>>>
>>>>
>>>>
>>>> You must add /usr/bin/postgres --    
>>>> system_u:object_r:postgresql_exec_t
>>>> to postgresql.fc
>>>> and , comment out session           optional     
>>>> /lib/security/$ISA/pam_selinux.so multiple
>>>> from /etc/pam.d/su.
>>>
>>>
>>>
>>> Thanks for the reply, it looks to me that the problem is more like 
>>> the policy and file_contexts were written for the way Debian(or some 
>>> other distro) installs PostgresSQL and Fedora installs things 
>>> differently. The most notable is that in the .fc it has the only 
>>> postgresql_exec_t with a regex for /usr/lib(64)?/postgresql/bin/.* 
>>> and on Fedora the executables are in /usr/bin.
>>> The question I have is: how do we handle these case where different 
>>> distros put the same files in different places? Do we continue to 
>>> add to the policy for each different distro?
>>
>>
>>
>> Yes we put the stuff in both places.
>>
> I added the /usr/bin/postgres postgresql_exec_t file context (and 
> relabeled) and it still would not start when booting. Below are the 
> allow rules(generated by audit2allow) that were necessary to get the 
> server to start. I did not comment out any pam_selinux.so line in 
> /etc/pam.d/su. That doesn't seem like the right thing to do.
> Thanks,
> Richard Hally
>
> allow initrc_su_t postgresql_db_t:dir { search };
> allow user_t postgresql_db_t:dir { add_name getattr read remove_name
> search write };
> allow user_t postgresql_db_t:file { create getattr read rename unlink
> write };

You need to setup a server user that can transition to postgresql.   A 
transition never happened.

Dan

>
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> http://www.redhat.com/mailman/listinfo/fedora-selinux-list





More information about the selinux mailing list