avc denied from postgresql

Russell Coker russell at coker.com.au
Sat Jul 3 06:52:43 UTC 2004


On Sat, 3 Jul 2004 09:39, Richard Hally <rhally at mindspring.com> wrote:
> Russell Coker wrote:
> > Let's get back to basics and look at the concepts rather than AVC
> > messages.
> >
> > /etc/rc.d/init.d/postgresql uses su to change uid to start the daemon,
> > this is a problem as it's not compatible with the usual su operation.
>
> Huh? su (Substitute User) has been to "Change the effective userid and
> group id" since I first learned about it in 1978. And is being used for
> that purpose in the init.d/postgresql stript.

It's purpose is to change the effective UID/GID for interactive sessions.

>From su(1) on Fedora:
su - run a shell with substitute user and group IDs

>From su(1) on Debian:
su  is  used  to  become  another user during a login session.

There's no mention I could find in the documentation of using su for starting 
daemons.

I think that there is no good reason for using su in this manner, and some 
good reasons for not doing so.  The postgresql start scripts will have to be 
changed.

> > /etc/rc.d/init.d/postgresql does lots of things other than just starting
> > a daemon, for example the code after:
> > echo -n $"Initializing database: "
>
> Maybe we need a restorecon where it creates the data directory(if not
> already present (a rare occurance)).

It might be rare in terms of the number of times the daemon is started, but 
from my understanding of the script it's expected to be done the first time 
the daemon is started.  So it's inevitable that it happens at least once, and 
therefore we have to handle it.

> The real work part of initializing the data directory is done with "su
> -l postgres -c ..." just like the part that starts the server(i.e. su -l
> postgres -c ...)
>
> What is it about pam_selinux that is causing the problem?

The fact that there is no identity, role, and domain defined for Postgres.  We 
can configure the SE Linux policy to allow this, but it's the wrong approach.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page




More information about the selinux mailing list