SELinux question
Zoltan Boszormenyi
zboszor at freemail.hu
Wed May 31 16:45:03 UTC 2006
Paul Howarth írta:
> Zoltan Boszormenyi wrote:
>> Paul Howarth írta:
>>> Zoltan Boszormenyi wrote:
>>>> What puzzled me is starting postgresql failed at boot
>>>> but not the manual "service postgresql start" after bootup.
>>>> (Maybe different contexts are applied to the logged-in root
>>>> and the init program?)
>>>
>>> Running the initscript should be exactly the same as the boot
>>> process. Starting the service manually (without the initscript)
>>> would be different though, as no domain transition would happen.
>>
>> Both
>>
>> service postgresql start
>>
>> and
>>
>> su - postgres
>> PGDATA=/home1/pgsql pg_ctl start
>>
>> started successfully if I logged in as root or under "su -" from my
>> mortal uid.
>> (The postgresql initscript uses "runuser" instead of "su" IIRC.)
>>
>>> Do the AVCs logged during the boot process show the process running
>>> as postgresql_t? If you do a "ps uaxZ", is it running as
>>> postgresql_t or unconfined_t?
>>
>> It's running under postgresql_t.
>
> Does it run under postgresql_t if you start it using pg_ctl?
$ su -
# service postgresql stop
# su - postgres
$ PGDATA=/var/lib/pgsql/data pg_ctl start
postmaster starting
$ ps axuZ | grep post | grep -v bash | grep -v grep | grep -v "su -" |
grep -v "ps "
user_u:system_r:unconfined_t postgres 5171 0.5 0.3 92280 3808
pts/0 S 18:32 0:00 /usr/bin/postmaster
user_u:system_r:unconfined_t postgres 5174 0.0 0.1 81324 1056
pts/0 S 18:32 0:00 postgres: logger process
user_u:system_r:unconfined_t postgres 5176 0.0 0.1 92264 1152
pts/0 S 18:32 0:00 postgres: writer process
user_u:system_r:unconfined_t postgres 5177 0.0 0.1 82460 992
pts/0 S 18:32 0:00 postgres: stats buffer process
user_u:system_r:unconfined_t postgres 5178 0.0 0.1 81456 1196
pts/0 S 18:32 0:00 postgres: stats collector process
$ pg_ctl stop
$ logout
# service postgresql start
A(z) postgresql szolgáltatás elindítása: [ OK ]
[root at host-81-17-177-202 ~]# ps axuZ | grep post | grep -v bash | grep
-v grep | grep -v "su -" | grep -v "ps "
user_u:system_r:unconfined_t postgres 5307 9.5 0.3 92284 3808
? S 18:36 0:00 /usr/bin/postmaster -p 5432 -D
/var/lib/pgsql/data
user_u:system_r:unconfined_t postgres 5309 0.0 0.1 81328 1056
? S 18:36 0:00 postgres: logger process
user_u:system_r:unconfined_t postgres 5311 0.0 0.1 92268 1112
? S 18:36 0:00 postgres: writer process
user_u:system_r:unconfined_t postgres 5312 0.0 0.0 82464 920
? S 18:36 0:00 postgres: stats buffer process
user_u:system_r:unconfined_t postgres 5313 0.0 0.1 81460 1196
? S 18:36 0:00 postgres: stats collector process
Both times it's running under unconfined_t, so it doesn't matter
whether it's running under "su - postgres" or "runuser - postgres".
It seems what matters is that it's started from a logged in user:
# ps auxZ | grep bash
user_u:system_r:unconfined_t zozo 4979 0.0 0.1 59836 1708
pts/0 Ss 18:28 0:00 bash
user_u:system_r:unconfined_t root 5002 0.0 0.1 59840 1688
pts/0 S 18:28 0:00 -bash
I logged in through GDM if that's interesting, running "su - " in a
gnome-terminal.
>>> I've just responded to another poster with almost exactly the same
>>> issue. I think this might be worth a wiki page.
>>
>> It would be a good idea.
>
> I'll do that when the other poster's last issue (default file
> contexts) is resolved.
>
> Paul.
>
Best regards,
Zoltán Böszörményi
More information about the fedora-list
mailing list