avc denied from postgresql

Russell Coker russell at coker.com.au
Fri Jul 2 14:33:45 UTC 2004


Let's get back to basics and look at the concepts rather than AVC messages.

/etc/rc.d/init.d/postgresql uses su to change uid to start the daemon, this is 
a problem as it's not compatible with the usual su operation.  Changing su is 
not the right solution as we don't even need 1% of the functionality of su, 
all we need is a way to call setregid() and setreuid() before executing the 
script.  I'm not sure if we already have a program we can use for this 
purpose (sudo is not suitable).  For a test I spent 30 minutes writing a 
program that provides all of the su functionality we need for such things, 
we'll have to include that program if we don't have something better (we 
should have something better).

/etc/rc.d/init.d/postgresql does lots of things other than just starting a 
daemon, for example the code after:
echo -n $"Initializing database: "

I tried labelling /etc/rc.d/init.d/postgresql as postgresql_exec_t, however 
the postgresql_t domain does not have access to write to the administrator 
console (and such access is not desired), it does not have access to rhgb_t, 
and there's some other things it needs access to.

I think that perhaps the correct thing to do is to 
re-write /etc/rc.d/init.d/postgresql to call a separate script with type 
postgresql_exec_t to do the "Initializing database" thing.  I'll look into 
that tomorrow.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page



More information about the selinux mailing list