SELinux question
Zoltan Boszormenyi
zboszor at freemail.hu
Sun May 28 20:14:17 UTC 2006
Paul Howarth írta:
> On Sun, 2006-05-28 at 20:33 +0200, Zoltan Boszormenyi wrote:
>
>> Paul Howarth írta:
>>
>>> On Sun, 2006-05-28 at 17:13 +0200, Zoltan Boszormenyi wrote:
>>>
>>>
>>>> Hi,
>>>>
>>>> answering to myself. :-)
>>>>
>>>> Zoltan Boszormenyi írta:
>>>>
>>>>
>>>>> So, how can I fix the current situation and include /home1/pgsql in
>>>>> the postgresql context/domain? I would like to relabel it to recover
>>>>> the context...
>>>>>
>>>>> BTW the same principle would apply if one would like to create
>>>>> another tablespace for postgresql under another mount point...
>>>>>
>>>>>
>>>> After some more RTFM, it would seem simple:
>>>>
>>>> semanage fcontext -a -t postgresql_db_t '/home1/pgsql/data(/.*)?'
>>>> semanage fcontext -a -t postgresql_log_t '/home1/pgsql/pgstartup.log'
>>>> fixfiles relabel /home1/pgsql
>>>>
>>>> But it was not enough. Starting it with "service postgresql start" fails.
>>>> I had to modify the rc script, too. I had to replace /var/lib/pgsql with
>>>> /home1/pgsql everywhere despite the /var/lib/pgsql -> /home1/pgsql symlink.
>>>>
>>>>
>>> This will be failing because SELinux is blocking access to reading the
>>> symlink. You should find an avc denial for the lnk_file in your logs.
>>>
>>>
>> I haven't found any. :-(
>>
>
> Perhaps you won't find any now because it's never trying to
> access /var/lib/pgsql since you changed the configs to get around the
> problem? Are there none from first attempt?
>
Sorry, I expected the audit messages in /var/log/messages.
Yes, I have such messages in audit.log:
type=AVC msg=audit(1148827118.909:2493): avc: denied { read } \
for pid=29719 comm="postmaster" name="pgsql" dev=hdb3 \
ino=1010804 scontext=user_u:system_r:postgresql_t:s0 \
tcontext=user_u:object_r:var_lib_t:s0 tclass=lnk_file
type=PATH msg=audit(1148827118.909:2493): item=0 \
name="/var/lib/pgsql/data/postgresql.conf" flags=101
>> Can this difference below cause the problem?
>>
>> [root at localhost log]# ls -d --scontext /var/lib/pgsql
>> user_u:object_r:var_lib_t /var/lib/pgsql -> /home1/pgsql
>> [root at localhost log]# ls -d --scontext /var/lib/pgsql/
>> system_u:object_r:default_t /var/lib/pgsql/
>>
>> Adding /home1/pgsql with var_lib_t context didn't make any difference,
>> though.
>>
>
> The existence of the symlink itself is probably the problem, rather than
> its context. Applications have to have specific permission to be able to
> read (and hence follow) symlinks in SELinux.
>
So, how can I tweak the policy so postgres can follow just this one symlink?
>>>> But this is enough for adding another tablespace under e.g. /home1/pgsql2:
>>>>
>>>> mkdir -p /home1/pgsql2/data
>>>> chown -R postgres.postgres /home1/pgsql2
>>>> semanage fcontext -a -t postgresql_db_t '/home1/pgsql2/data(/.*)?'
>>>> fixfiles relabel /home1/pgsql2
>>>>
>>>>
>>> An easier way is to bind mount /home/pgsql on /var/lib/pgsql etc. and do
>>> a restorecon -R on the "new" /var/lib/pgsql. That achieves the same
>>> effect without the symlink.
>>>
>>>
>> I know, but the disk I install will be (or already is) used for both my
>> databases
>> and for extending /home. I created only one partition on that disk, so...
>> The system is my home/devel machine and the disk is SATA and fast enough.
>> Although for a high performance production machine, I would always give
>> PostgreSQL it's own disks to separate WAL, table and index spaces.
>>
>
> Perhaps you'll use LVM next time :-)
>
Well, how can you merge two disks with LVM and still
be able to record from the BTTV card to only one of them?
Having a separate disk dedicates the disk speed to this task
while another program can write under /home. Maybe
my knowledge is a bit outdated, so enlightenment is welcome. :-)
Best regards,
Zoltán Böszörményi
More information about the users
mailing list