avc denied from postgresql

Yuichi Nakamura himainu-ynakam at miomio.jp
Thu Jul 1 12:37:47 UTC 2004


The following is procedure to run postgresql on my Fedora Core2.

(1) Add following to postgresql.te and postgresql.fc.
I created new type "postgresql_dir_t" for default type of /var/lib/postgresql.

# postgresql.te
type postgresql_dir_t,file_type,sysadmfile;
file_type_auto_trans(postgresql_t,postgresql_dir_t,postgresql_var_run_t)
r_dir_file(postgresql_t,postgresql_dir_t)

# postgresql.fc
/usr/bin/postgres --	system_u:object_r:postgresql_exec_t
/var/lib/pgsql(/.*)?		system_u:object_r:postgresql_dir_t
/var/lib/pgsql/data(/.*)+		system_u:object_r:postgresql_etc_t
/var/lib/pgsql/data/postmaster.pid	system_u:object_r:postgresql_var_run_t
/var/lib/pgsql/data/base(/.*)?	system_u:object_r:postgresql_db_t
/var/lib/pgsql/data/global(/.*)?	system_u:object_r:postgresql_db_t
/var/lib/pgsql/data/pg_xlog(/.*)?	system_u:object_r:postgresql_db_t
/var/lib/pgsql/data/pg_clog(/.*)?	system_u:object_r:postgresql_db_t
/var/lib/pgsql/data/postmaster.opts	system_u:object_r:postgresql_db_t
/etc/sysconfig/pgsql(/.*)?		system_u:object_r:postgresql_etc_t
/usr/share/pgsql(/.*)?		system_u:object_r:postgresql_etc_t
/var/log/pgsql.* --	system_u:object_r:postgresql_log_t

(2) reload and relabel
# make reload relabel

(3) 
comment out 
"session           optional     /lib/security/$ISA/pam_selinux.so multiple"
from /etc/pam.d/su.

Commenting out /etc/pam.d/su is necessary.
Without it, postgreSQL(postmaster) 
will run as "user_t" domain, this domain is for user shell.
user_t is not desireble for postgresql.


(4) start postgreSQL
#/etc/rc.d/init.d/postgresql start
At first time to start postgresql, 
several new files will be created under /var/lib/pgsql/.

(5) 
New files under /var/lib/pgsql do not have proper context,
so stop postgreSQL and relabel /var/lib/pgsql.

# /etc/rc.d/init.d/postgres stop
# setfiles /etc/security/selinux/file_contexts /var/lib

Next time you run postgresql, 
postgresql will run as "postgresql_t" correctly.


Richard Hally <rhally at mindspring.com> wrote:

> Daniel J Walsh wrote:
> 
> > Richard Hally wrote:
> > 
> >> Yuichi Nakamura wrote:
> >>
> >>> On Wed, 16 Jun 2004 00:31:58 -0400
> >>> Richard Hally <rhallyx at mindspring.com> wrote:
> >>>
> >>>> With the above change to the postgresql.fc I get the following avc 
> >>>> denied messages when booting:
> >>>
> >>>
> >>>
> >>> You must add /usr/bin/postgres --    system_u:object_r:postgresql_exec_t
> >>> to postgresql.fc
> >>> and , comment out session           optional     
> >>> /lib/security/$ISA/pam_selinux.so multiple
> >>> from /etc/pam.d/su.
> >>
> >>
> >> Thanks for the reply, it looks to me that the problem is more like the 
> >> policy and file_contexts were written for the way Debian(or some other 
> >> distro) installs PostgresSQL and Fedora installs things differently. 
> >> The most notable is that in the .fc it has the only postgresql_exec_t 
> >> with a regex for /usr/lib(64)?/postgresql/bin/.* and on Fedora the 
> >> executables are in /usr/bin.
> >> The question I have is: how do we handle these case where different 
> >> distros put the same files in different places? Do we continue to add 
> >> to the policy for each different distro?
> > 
> > 
> > Yes we put the stuff in both places.
> > 
> I added the /usr/bin/postgres postgresql_exec_t file context (and 
> relabeled) and it still would not start when booting. Below are the 
> allow rules(generated by audit2allow) that were necessary to get the 
> server to start. I did not comment out any pam_selinux.so line in 
> /etc/pam.d/su. That doesn't seem like the right thing to do.
> Thanks,
> Richard Hally
> 
> allow initrc_su_t postgresql_db_t:dir { search };
> allow user_t postgresql_db_t:dir { add_name getattr read remove_name
> search write };
> allow user_t postgresql_db_t:file { create getattr read rename unlink
> write };
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> http://www.redhat.com/mailman/listinfo/fedora-selinux-list


---
Yuichi Nakamura
Japan SELinux Users Group(JPSEG)
http://www.selinux.gr.jp/




More information about the selinux mailing list