avc denied from postgresql
Yuichi Nakamura
himainu-ynakam at miomio.jp
Thu Jul 1 12:37:47 UTC 2004
The following is procedure to run postgresql on my Fedora Core2.
(1) Add following to postgresql.te and postgresql.fc.
I created new type "postgresql_dir_t" for default type of /var/lib/postgresql.
# postgresql.te
type postgresql_dir_t,file_type,sysadmfile;
file_type_auto_trans(postgresql_t,postgresql_dir_t,postgresql_var_run_t)
r_dir_file(postgresql_t,postgresql_dir_t)
# postgresql.fc
/usr/bin/postgres -- system_u:object_r:postgresql_exec_t
/var/lib/pgsql(/.*)? system_u:object_r:postgresql_dir_t
/var/lib/pgsql/data(/.*)+ system_u:object_r:postgresql_etc_t
/var/lib/pgsql/data/postmaster.pid system_u:object_r:postgresql_var_run_t
/var/lib/pgsql/data/base(/.*)? system_u:object_r:postgresql_db_t
/var/lib/pgsql/data/global(/.*)? system_u:object_r:postgresql_db_t
/var/lib/pgsql/data/pg_xlog(/.*)? system_u:object_r:postgresql_db_t
/var/lib/pgsql/data/pg_clog(/.*)? system_u:object_r:postgresql_db_t
/var/lib/pgsql/data/postmaster.opts system_u:object_r:postgresql_db_t
/etc/sysconfig/pgsql(/.*)? system_u:object_r:postgresql_etc_t
/usr/share/pgsql(/.*)? system_u:object_r:postgresql_etc_t
/var/log/pgsql.* -- system_u:object_r:postgresql_log_t
(2) reload and relabel
# make reload relabel
(3)
comment out
"session optional /lib/security/$ISA/pam_selinux.so multiple"
from /etc/pam.d/su.
Commenting out /etc/pam.d/su is necessary.
Without it, postgreSQL(postmaster)
will run as "user_t" domain, this domain is for user shell.
user_t is not desireble for postgresql.
(4) start postgreSQL
#/etc/rc.d/init.d/postgresql start
At first time to start postgresql,
several new files will be created under /var/lib/pgsql/.
(5)
New files under /var/lib/pgsql do not have proper context,
so stop postgreSQL and relabel /var/lib/pgsql.
# /etc/rc.d/init.d/postgres stop
# setfiles /etc/security/selinux/file_contexts /var/lib
Next time you run postgresql,
postgresql will run as "postgresql_t" correctly.
Richard Hally <rhally at mindspring.com> wrote:
> Daniel J Walsh wrote:
>
> > Richard Hally wrote:
> >
> >> Yuichi Nakamura wrote:
> >>
> >>> On Wed, 16 Jun 2004 00:31:58 -0400
> >>> Richard Hally <rhallyx at mindspring.com> wrote:
> >>>
> >>>> With the above change to the postgresql.fc I get the following avc
> >>>> denied messages when booting:
> >>>
> >>>
> >>>
> >>> You must add /usr/bin/postgres -- system_u:object_r:postgresql_exec_t
> >>> to postgresql.fc
> >>> and , comment out session optional
> >>> /lib/security/$ISA/pam_selinux.so multiple
> >>> from /etc/pam.d/su.
> >>
> >>
> >> Thanks for the reply, it looks to me that the problem is more like the
> >> policy and file_contexts were written for the way Debian(or some other
> >> distro) installs PostgresSQL and Fedora installs things differently.
> >> The most notable is that in the .fc it has the only postgresql_exec_t
> >> with a regex for /usr/lib(64)?/postgresql/bin/.* and on Fedora the
> >> executables are in /usr/bin.
> >> The question I have is: how do we handle these case where different
> >> distros put the same files in different places? Do we continue to add
> >> to the policy for each different distro?
> >
> >
> > Yes we put the stuff in both places.
> >
> I added the /usr/bin/postgres postgresql_exec_t file context (and
> relabeled) and it still would not start when booting. Below are the
> allow rules(generated by audit2allow) that were necessary to get the
> server to start. I did not comment out any pam_selinux.so line in
> /etc/pam.d/su. That doesn't seem like the right thing to do.
> Thanks,
> Richard Hally
>
> allow initrc_su_t postgresql_db_t:dir { search };
> allow user_t postgresql_db_t:dir { add_name getattr read remove_name
> search write };
> allow user_t postgresql_db_t:file { create getattr read rename unlink
> write };
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> http://www.redhat.com/mailman/listinfo/fedora-selinux-list
---
Yuichi Nakamura
Japan SELinux Users Group(JPSEG)
http://www.selinux.gr.jp/
More information about the selinux
mailing list