[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: SELinux question

Paul Howarth írta:
On Sun, 2006-05-28 at 20:33 +0200, Zoltan Boszormenyi wrote:
Paul Howarth írta:
On Sun, 2006-05-28 at 17:13 +0200, Zoltan Boszormenyi wrote:

answering to myself. :-)

Zoltan Boszormenyi írta:
So, how can I fix the current situation and include /home1/pgsql in
the postgresql context/domain? I would like to relabel it to recover the context...

BTW the same principle would apply if one would like to create
another tablespace for postgresql under another mount point...
After some more RTFM, it would seem simple:

semanage fcontext -a -t postgresql_db_t '/home1/pgsql/data(/.*)?'
semanage fcontext -a -t postgresql_log_t '/home1/pgsql/pgstartup.log'
fixfiles relabel /home1/pgsql

But it was not enough. Starting it with "service postgresql start" fails.
I had to modify the rc script, too. I had to replace /var/lib/pgsql with
/home1/pgsql everywhere despite the /var/lib/pgsql -> /home1/pgsql symlink.
This will be failing because SELinux is blocking access to reading the
symlink. You should find an avc denial for the lnk_file in your logs.
I haven't found any. :-(

Perhaps you won't find any now because it's never trying to
access /var/lib/pgsql since you changed the configs to get around the
problem? Are there none from first attempt?

Sorry, I expected the audit messages in /var/log/messages.
Yes, I have such messages in audit.log:

type=AVC msg=audit(1148827118.909:2493): avc:  denied  { read } \
  for  pid=29719 comm="postmaster" name="pgsql" dev=hdb3 \
  ino=1010804 scontext=user_u:system_r:postgresql_t:s0 \
  tcontext=user_u:object_r:var_lib_t:s0 tclass=lnk_file
type=PATH msg=audit(1148827118.909:2493): item=0 \
  name="/var/lib/pgsql/data/postgresql.conf" flags=101

Can this difference below cause the problem?

[root localhost log]# ls -d --scontext /var/lib/pgsql
user_u:object_r:var_lib_t        /var/lib/pgsql -> /home1/pgsql
[root localhost log]# ls -d --scontext /var/lib/pgsql/
system_u:object_r:default_t      /var/lib/pgsql/

Adding /home1/pgsql with var_lib_t context didn't make any difference, though.

The existence of the symlink itself is probably the problem, rather than
its context. Applications have to have specific permission to be able to
read (and hence follow) symlinks in SELinux.

So, how can I tweak the policy so postgres can follow just this one symlink?

But this is enough for adding another tablespace under e.g. /home1/pgsql2:

mkdir -p /home1/pgsql2/data
chown -R postgres.postgres /home1/pgsql2
semanage fcontext -a -t postgresql_db_t '/home1/pgsql2/data(/.*)?'
fixfiles relabel /home1/pgsql2
An easier way is to bind mount /home/pgsql on /var/lib/pgsql etc. and do
a restorecon -R on the "new" /var/lib/pgsql. That achieves the same
effect without the symlink.
I know, but the disk I install will be (or already is) used for both my databases
and for extending /home. I created only one partition on that disk, so...
The system is my home/devel machine and the disk is SATA and fast enough.
Although for a high performance production machine, I would always give
PostgreSQL it's own disks to separate WAL, table and index spaces.

Perhaps you'll use LVM next time :-)

Well, how can you merge two disks with LVM and still
be able to record from the BTTV card to only one of them?
Having a separate disk dedicates the disk speed to this task
while another program can write under /home. Maybe
my knowledge is a bit outdated, so enlightenment is welcome. :-)

Best regards,
Zoltán Böszörményi

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]