Trouble starting postgresql
Paul Howarth
paul at city-fan.org
Tue May 30 17:48:25 UTC 2006
Alan M. Evans wrote:
> On Tue, 2006-05-30 at 09:10, Paul Howarth wrote:
> [ ... ]
>> If that's all you have, it shouldn't be difficult to fix.
>>
>> Set yourself up for making local policy modules:
>>
>> # yum install checkpolicy
>> # cd /root
>> # mkdir selinux.local
>> # cd selinux.local
>> # chcon -R -t usr_t .
>> # ln -s /usr/share/selinux/devel/Makefile .
>>
>> Make a local policy module for this issue, in this directory:
>>
>> 1. Create a file postgresql.te with this content:
>>
>> module postgresql 0.1;
>>
>> require {
>> class dir search;
>> class lnk_file read;
>>
>> type home_root_t;
>> type postgresql_t;
>> type var_lib_t;
>> };
>>
>> # Allow postgresql to read /var/lib/pgsql -> /home/pgsql symlink
>> # if present
>> allow postgresql_t var_lib_t:lnk_file read;
>>
>> # Allow postgresql to search directory /home
>> allow postgresql_t home_root_t:dir search;
>>
>> 2. Create a file postgresql.fc with this content:
>>
>> /home/pgsql -d
>> gen_context(system_u:object_r:var_lib_t,s0)
>> /home/pgsql/data(/.*)?
>> gen_context(system_u:object_r:postgresql_db_t,s0)
>> /home/pgsql/pgstartup.log --
>> gen_context(system_u:object_r:postgresql_log_t,s0)
>>
>> (that's three long lines)
>>
>> 3. Create an empty postgresql.if file:
>>
>> # touch postgresql.if
>>
>> 4. Build the policy module
>>
>> # make
>>
>> Install your new policy module:
>>
>> # semodule -i postgresql.pp
>>
>> Fix file contexts:
>>
>> # restorecon -Rv /home/pgsql
>>
>> Hopefully that should get you going in enforcing mode.
>
> Well, that restorecon set all the contexts back to user_home_t. Ugh.
Ugh indeed. My fix is incomplete. Can you post the output of:
# semanage fcontext -l | grep pgsql
I trust that /home/pgsql is not some user's home directory?
> After recursively setting the data directory to postgresql_db_t and the
> logfile to postgresql_log_t, service starts up without complaint. So
> then:
>
> postgresql started... check
> database located under /home/pgsql... check
> SELinux enforcing... yep
> postgresql service not excluded... yes
> read and write data to db... YES!
>
> Excellent. I presume I should keep these SELinux policy source files in
> a safe place in case this configuration is required again.
I'd keep them around for reference purposes but the policy module should
survive reboots and base policy updates.
> Thank you so much for your assistance! I have one final question. Do you
> have any recommendations for decent documentation on SELinux
> administration? Online is alright, but book recommendations are
> perfectly welcome.
Not really. I think it's too much of a moving target at the moment to
find anything that's up to date in print.
> I hope to avoid having to go through this in the future. My goal is
> really to understand the process. Right now, all I can do is describe
> the problem and hope someone can walk me through the solution as you
> have done. (I learn well from examples, so I know much more now that
> I've at least gone through it.)
The way I learned about it was by reading the FC3 SELinux/Apache FAQ
(http://fedora.redhat.com/docs/selinux-apache-fc3/), which is a bit out
of date now, particularly regarding policy customization, hanging out on
fedora-selinux-list, and getting my own systems working to my own
satisfaction in enforcing mode.
The online documentation is getting better, and a good place to start is
probably: http://fedoraproject.org/wiki/SELinux
Paul.
More information about the fedora-list
mailing list