avc denied from postgresql

Stephen Smalley sds at epoch.ncsc.mil
Wed Jul 7 17:08:15 UTC 2004


On Fri, 2004-07-02 at 19:39, Richard Hally wrote:
> Perhaps we need to look at pam_selinux again rather than trying to 
> change the init.d/postgresql script?
<snip>
> What is it about pam_selinux that is causing the problem?
> With your latest changes to postgresql.fc and a couple of allow rules,
> the server starts in the correct context when booting if the pam_selinux 
> line is commented out of pam.d/su. That would indicate to me that there 
> is something about pam_selinux that is the problem. The error message is:
> "Unable to get valid context for postgres, no valid tty"
> Perhaps the problem has to do with the 'no valid tty' part?

pam_selinux is merely asking for a reachable security context for the
new user identity from the current security context.  The problem is
that the SELinux policy has no user identities for these pseudo users,
and it isn't clear that we truly want to go down the path of adding them
(as has been done for some users in the policy/serviceusers files).

-- 
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency




More information about the selinux mailing list