SELinux question

Zoltan Boszormenyi zboszor at freemail.hu
Wed May 31 16:45:03 UTC 2006


Paul Howarth írta:
> Zoltan Boszormenyi wrote:
>> Paul Howarth írta:
>>> Zoltan Boszormenyi wrote:
>>>> What puzzled me is starting postgresql failed at boot
>>>> but not the manual "service postgresql start" after bootup.
>>>> (Maybe different contexts are applied to the logged-in root
>>>> and the init program?)
>>>
>>> Running the initscript should be exactly the same as the boot 
>>> process. Starting the service manually (without the initscript) 
>>> would be different though, as no domain transition would happen.
>>
>> Both
>>
>> service postgresql start
>>
>> and
>>
>> su - postgres
>> PGDATA=/home1/pgsql pg_ctl start
>>
>> started successfully if I logged in as root or under "su -" from my 
>> mortal uid.
>> (The postgresql initscript uses "runuser" instead of "su" IIRC.)
>>
>>> Do the AVCs logged during the boot process show the process running 
>>> as postgresql_t? If you do a "ps uaxZ", is it running as 
>>> postgresql_t or unconfined_t?
>>
>> It's running under postgresql_t.
>
> Does it run under postgresql_t if you start it using pg_ctl?

$ su -
# service postgresql stop
# su - postgres
$ PGDATA=/var/lib/pgsql/data pg_ctl start
postmaster starting
$ ps axuZ | grep post | grep -v bash | grep -v grep | grep -v "su -" | 
grep -v "ps "
user_u:system_r:unconfined_t    postgres  5171  0.5  0.3  92280  3808 
pts/0    S    18:32   0:00 /usr/bin/postmaster
user_u:system_r:unconfined_t    postgres  5174  0.0  0.1  81324  1056 
pts/0    S    18:32   0:00 postgres: logger process
user_u:system_r:unconfined_t    postgres  5176  0.0  0.1  92264  1152 
pts/0    S    18:32   0:00 postgres: writer process
user_u:system_r:unconfined_t    postgres  5177  0.0  0.1  82460   992 
pts/0    S    18:32   0:00 postgres: stats buffer process
user_u:system_r:unconfined_t    postgres  5178  0.0  0.1  81456  1196 
pts/0    S    18:32   0:00 postgres: stats collector process
$ pg_ctl stop
$ logout
# service postgresql start
A(z) postgresql szolgáltatás elindítása:                   [  OK  ]
[root at host-81-17-177-202 ~]# ps axuZ | grep post | grep -v bash | grep 
-v grep | grep -v "su -" | grep -v "ps "
user_u:system_r:unconfined_t    postgres  5307  9.5  0.3  92284  3808 
?        S    18:36   0:00 /usr/bin/postmaster -p 5432 -D 
/var/lib/pgsql/data
user_u:system_r:unconfined_t    postgres  5309  0.0  0.1  81328  1056 
?        S    18:36   0:00 postgres: logger process
user_u:system_r:unconfined_t    postgres  5311  0.0  0.1  92268  1112 
?        S    18:36   0:00 postgres: writer process
user_u:system_r:unconfined_t    postgres  5312  0.0  0.0  82464   920 
?        S    18:36   0:00 postgres: stats buffer process
user_u:system_r:unconfined_t    postgres  5313  0.0  0.1  81460  1196 
?        S    18:36   0:00 postgres: stats collector process

Both times it's running under unconfined_t, so it doesn't matter
whether it's running under "su - postgres" or "runuser - postgres".
It seems what matters is that it's started from a logged in user:

# ps auxZ | grep bash
user_u:system_r:unconfined_t    zozo      4979  0.0  0.1  59836  1708 
pts/0    Ss   18:28   0:00 bash
user_u:system_r:unconfined_t    root      5002  0.0  0.1  59840  1688 
pts/0    S    18:28   0:00 -bash

I logged in through GDM if that's interesting, running "su - " in a 
gnome-terminal.

>>> I've just responded to another poster with almost exactly the same 
>>> issue. I think this might be worth a wiki page.
>>
>> It would be a good idea.
>
> I'll do that when the other poster's last issue (default file 
> contexts) is resolved.
>
> Paul.
>

Best regards,
Zoltán Böszörményi




More information about the fedora-list mailing list