SELinux question

Sun May 28 20:14:17 UTC 2006

Paul Howarth írta:
> On Sun, 2006-05-28 at 20:33 +0200, Zoltan Boszormenyi wrote:
>   
>> Paul Howarth írta:
>>     
>>> On Sun, 2006-05-28 at 17:13 +0200, Zoltan Boszormenyi wrote:
>>>   
>>>       
>>>> Hi,
>>>>
>>>> answering to myself. :-)
>>>>
>>>> Zoltan Boszormenyi írta:
>>>>     
>>>>         
>>>>> So, how can I fix the current situation and include /home1/pgsql in
>>>>> the postgresql context/domain? I would like to relabel it to recover 
>>>>> the context...
>>>>>
>>>>> BTW the same principle would apply if one would like to create
>>>>> another tablespace for postgresql under another mount point...
>>>>>       
>>>>>           
>>>> After some more RTFM, it would seem simple:
>>>>
>>>> semanage fcontext -a -t postgresql_db_t '/home1/pgsql/data(/.*)?'
>>>> semanage fcontext -a -t postgresql_log_t '/home1/pgsql/pgstartup.log'
>>>> fixfiles relabel /home1/pgsql
>>>>
>>>> But it was not enough. Starting it with "service postgresql start" fails.
>>>> I had to modify the rc script, too. I had to replace /var/lib/pgsql with
>>>> /home1/pgsql everywhere despite the /var/lib/pgsql -> /home1/pgsql symlink.
>>>>     
>>>>         
>>> This will be failing because SELinux is blocking access to reading the
>>> symlink. You should find an avc denial for the lnk_file in your logs.
>>>   
>>>       
>> I haven't found any. :-(
>>     
>
> Perhaps you won't find any now because it's never trying to
> access /var/lib/pgsql since you changed the configs to get around the
> problem? Are there none from first attempt?
>   

Sorry, I expected the audit messages in /var/log/messages.
Yes, I have such messages in audit.log:

type=AVC msg=audit(1148827118.909:2493): avc:  denied  { read } \
   for  pid=29719 comm="postmaster" name="pgsql" dev=hdb3 \
   ino=1010804 scontext=user_u:system_r:postgresql_t:s0 \
   tcontext=user_u:object_r:var_lib_t:s0 tclass=lnk_file
type=PATH msg=audit(1148827118.909:2493): item=0 \
   name="/var/lib/pgsql/data/postgresql.conf" flags=101

>> Can this difference below cause the problem?
>>
>> [root at localhost log]# ls -d --scontext /var/lib/pgsql
>> user_u:object_r:var_lib_t        /var/lib/pgsql -> /home1/pgsql
>> [root at localhost log]# ls -d --scontext /var/lib/pgsql/
>> system_u:object_r:default_t      /var/lib/pgsql/
>>
>> Adding /home1/pgsql with var_lib_t context didn't make any difference, 
>> though.
>>     
>
> The existence of the symlink itself is probably the problem, rather than
> its context. Applications have to have specific permission to be able to
> read (and hence follow) symlinks in SELinux.
>   

So, how can I tweak the policy so postgres can follow just this one symlink?

>>>> But this is enough for adding another tablespace under e.g. /home1/pgsql2:
>>>>
>>>> mkdir -p /home1/pgsql2/data
>>>> chown -R postgres.postgres /home1/pgsql2
>>>> semanage fcontext -a -t postgresql_db_t '/home1/pgsql2/data(/.*)?'
>>>> fixfiles relabel /home1/pgsql2
>>>>     
>>>>         
>>> An easier way is to bind mount /home/pgsql on /var/lib/pgsql etc. and do
>>> a restorecon -R on the "new" /var/lib/pgsql. That achieves the same
>>> effect without the symlink.
>>>   
>>>       
>> I know, but the disk I install will be (or already is) used for both my 
>> databases
>> and for extending /home. I created only one partition on that disk, so...
>> The system is my home/devel machine and the disk is SATA and fast enough.
>> Although for a high performance production machine, I would always give
>> PostgreSQL it's own disks to separate WAL, table and index spaces.
>>     
>
> Perhaps you'll use LVM next time :-)
>   

Well, how can you merge two disks with LVM and still
be able to record from the BTTV card to only one of them?
Having a separate disk dedicates the disk speed to this task
while another program can write under /home. Maybe
my knowledge is a bit outdated, so enlightenment is welcome. :-)

Best regards,
Zoltán Böszörményi