SELinux question
Paul Howarth
paul at city-fan.org
Wed May 31 17:01:29 UTC 2006
Zoltan Boszormenyi wrote:
> Paul Howarth írta:
>> Zoltan Boszormenyi wrote:
>>> Paul Howarth írta:
>>>> Zoltan Boszormenyi wrote:
>>>>> What puzzled me is starting postgresql failed at boot
>>>>> but not the manual "service postgresql start" after bootup.
>>>>> (Maybe different contexts are applied to the logged-in root
>>>>> and the init program?)
>>>>
>>>> Running the initscript should be exactly the same as the boot
>>>> process. Starting the service manually (without the initscript)
>>>> would be different though, as no domain transition would happen.
>>>
>>> Both
>>>
>>> service postgresql start
>>>
>>> and
>>>
>>> su - postgres
>>> PGDATA=/home1/pgsql pg_ctl start
>>>
>>> started successfully if I logged in as root or under "su -" from my
>>> mortal uid.
>>> (The postgresql initscript uses "runuser" instead of "su" IIRC.)
>>>
>>>> Do the AVCs logged during the boot process show the process running
>>>> as postgresql_t? If you do a "ps uaxZ", is it running as
>>>> postgresql_t or unconfined_t?
>>>
>>> It's running under postgresql_t.
>>
>> Does it run under postgresql_t if you start it using pg_ctl?
>
> $ su -
> # service postgresql stop
> # su - postgres
> $ PGDATA=/var/lib/pgsql/data pg_ctl start
> postmaster starting
> $ ps axuZ | grep post | grep -v bash | grep -v grep | grep -v "su -" |
> grep -v "ps "
> user_u:system_r:unconfined_t postgres 5171 0.5 0.3 92280 3808
> pts/0 S 18:32 0:00 /usr/bin/postmaster
> user_u:system_r:unconfined_t postgres 5174 0.0 0.1 81324 1056
> pts/0 S 18:32 0:00 postgres: logger process
> user_u:system_r:unconfined_t postgres 5176 0.0 0.1 92264 1152
> pts/0 S 18:32 0:00 postgres: writer process
> user_u:system_r:unconfined_t postgres 5177 0.0 0.1 82460 992
> pts/0 S 18:32 0:00 postgres: stats buffer process
> user_u:system_r:unconfined_t postgres 5178 0.0 0.1 81456 1196
> pts/0 S 18:32 0:00 postgres: stats collector process
> $ pg_ctl stop
> $ logout
That one's as I expected.
> # service postgresql start
> A(z) postgresql szolgáltatás elindítása: [ OK ]
> [root at host-81-17-177-202 ~]# ps axuZ | grep post | grep -v bash | grep
> -v grep | grep -v "su -" | grep -v "ps "
> user_u:system_r:unconfined_t postgres 5307 9.5 0.3 92284 3808
> ? S 18:36 0:00 /usr/bin/postmaster -p 5432 -D
> /var/lib/pgsql/data
> user_u:system_r:unconfined_t postgres 5309 0.0 0.1 81328 1056
> ? S 18:36 0:00 postgres: logger process
> user_u:system_r:unconfined_t postgres 5311 0.0 0.1 92268 1112
> ? S 18:36 0:00 postgres: writer process
> user_u:system_r:unconfined_t postgres 5312 0.0 0.0 82464 920
> ? S 18:36 0:00 postgres: stats buffer process
> user_u:system_r:unconfined_t postgres 5313 0.0 0.1 81460 1196
> ? S 18:36 0:00 postgres: stats collector process
>
> Both times it's running under unconfined_t, so it doesn't matter
> whether it's running under "su - postgres" or "runuser - postgres".
> It seems what matters is that it's started from a logged in user:
I'd have expected this to run as postgresql_t
Is your postgresql initscript correctly labelled as initrc_exec_t?
What's the state of the postgresql_disable_trans boolean?
# getsebool postgresql_disable_trans
Paul.
More information about the users
mailing list