avc denied from postgresql

Stephen Smalley sds at epoch.ncsc.mil
Wed Jul 7 17:01:56 UTC 2004


On Fri, 2004-07-02 at 10:33, Russell Coker wrote:
> Let's get back to basics and look at the concepts rather than AVC messages.
> 
> /etc/rc.d/init.d/postgresql uses su to change uid to start the daemon, this is 
> a problem as it's not compatible with the usual su operation.  Changing su is 
> not the right solution as we don't even need 1% of the functionality of su, 
> all we need is a way to call setregid() and setreuid() before executing the 
> script.  I'm not sure if we already have a program we can use for this 
> purpose (sudo is not suitable).

The daemon() macro in /etc/init.d/functions includes a --user option
that causes it to run the command via su in the specified user identity
(su -s /bin/bash - $user -c ...).  So it appears that this is not an
uncommon/unexpected practice for running daemons in a non-root uid
without requiring a separate wrapper program.

-- 
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency




More information about the selinux mailing list