SELinux question

Sun May 28 19:43:43 UTC 2006

On Sun, 2006-05-28 at 20:33 +0200, Zoltan Boszormenyi wrote:
> Paul Howarth írta:
> > On Sun, 2006-05-28 at 17:13 +0200, Zoltan Boszormenyi wrote:
> >   
> >> Hi,
> >>
> >> answering to myself. :-)
> >>
> >> Zoltan Boszormenyi írta:
> >>     
> >>> So, how can I fix the current situation and include /home1/pgsql in
> >>> the postgresql context/domain? I would like to relabel it to recover 
> >>> the context...
> >>>
> >>> BTW the same principle would apply if one would like to create
> >>> another tablespace for postgresql under another mount point...
> >>>       
> >> After some more RTFM, it would seem simple:
> >>
> >> semanage fcontext -a -t postgresql_db_t '/home1/pgsql/data(/.*)?'
> >> semanage fcontext -a -t postgresql_log_t '/home1/pgsql/pgstartup.log'
> >> fixfiles relabel /home1/pgsql
> >>
> >> But it was not enough. Starting it with "service postgresql start" fails.
> >> I had to modify the rc script, too. I had to replace /var/lib/pgsql with
> >> /home1/pgsql everywhere despite the /var/lib/pgsql -> /home1/pgsql symlink.
> >>     
> >
> > This will be failing because SELinux is blocking access to reading the
> > symlink. You should find an avc denial for the lnk_file in your logs.
> >   
> 
> I haven't found any. :-(

Perhaps you won't find any now because it's never trying to
access /var/lib/pgsql since you changed the configs to get around the
problem? Are there none from first attempt?

> Can this difference below cause the problem?
> 
> [root at localhost log]# ls -d --scontext /var/lib/pgsql
> user_u:object_r:var_lib_t        /var/lib/pgsql -> /home1/pgsql
> [root at localhost log]# ls -d --scontext /var/lib/pgsql/
> system_u:object_r:default_t      /var/lib/pgsql/
> 
> Adding /home1/pgsql with var_lib_t context didn't make any difference, 
> though.

The existence of the symlink itself is probably the problem, rather than
its context. Applications have to have specific permission to be able to
read (and hence follow) symlinks in SELinux.

> >> But this is enough for adding another tablespace under e.g. /home1/pgsql2:
> >>
> >> mkdir -p /home1/pgsql2/data
> >> chown -R postgres.postgres /home1/pgsql2
> >> semanage fcontext -a -t postgresql_db_t '/home1/pgsql2/data(/.*)?'
> >> fixfiles relabel /home1/pgsql2
> >>     
> >
> > An easier way is to bind mount /home/pgsql on /var/lib/pgsql etc. and do
> > a restorecon -R on the "new" /var/lib/pgsql. That achieves the same
> > effect without the symlink.
> >   
> 
> I know, but the disk I install will be (or already is) used for both my 
> databases
> and for extending /home. I created only one partition on that disk, so...
> The system is my home/devel machine and the disk is SATA and fast enough.
> Although for a high performance production machine, I would always give
> PostgreSQL it's own disks to separate WAL, table and index spaces.

Perhaps you'll use LVM next time :-)

Paul.