SELinux question

Paul Howarth paul at city-fan.org
Mon May 29 08:16:03 UTC 2006 

On Sun, 2006-05-28 at 22:14 +0200, Zoltan Boszormenyi wrote:
> Paul Howarth írta:
> > On Sun, 2006-05-28 at 20:33 +0200, Zoltan Boszormenyi wrote:
> >   
> >> Paul Howarth írta:
> >>     
> >>> On Sun, 2006-05-28 at 17:13 +0200, Zoltan Boszormenyi wrote:
> >>>   
> >>>       
> >>>> Hi,
> >>>>
> >>>> answering to myself. :-)
> >>>>
> >>>> Zoltan Boszormenyi írta:
> >>>>     
> >>>>         
> >>>>> So, how can I fix the current situation and include /home1/pgsql in
> >>>>> the postgresql context/domain? I would like to relabel it to recover 
> >>>>> the context...
> >>>>>
> >>>>> BTW the same principle would apply if one would like to create
> >>>>> another tablespace for postgresql under another mount point...
> >>>>>       
> >>>>>           
> >>>> After some more RTFM, it would seem simple:
> >>>>
> >>>> semanage fcontext -a -t postgresql_db_t '/home1/pgsql/data(/.*)?'
> >>>> semanage fcontext -a -t postgresql_log_t '/home1/pgsql/pgstartup.log'
> >>>> fixfiles relabel /home1/pgsql
> >>>>
> >>>> But it was not enough. Starting it with "service postgresql start" fails.
> >>>> I had to modify the rc script, too. I had to replace /var/lib/pgsql with
> >>>> /home1/pgsql everywhere despite the /var/lib/pgsql -> /home1/pgsql symlink.
> >>>>     
> >>>>         
> >>> This will be failing because SELinux is blocking access to reading the
> >>> symlink. You should find an avc denial for the lnk_file in your logs.
> >>>   
> >>>       
> >> I haven't found any. :-(
> >>     
> >
> > Perhaps you won't find any now because it's never trying to
> > access /var/lib/pgsql since you changed the configs to get around the
> > problem? Are there none from first attempt?
> >   
> 
> Sorry, I expected the audit messages in /var/log/messages.
> Yes, I have such messages in audit.log:

You must have auditd running (probably a system upgraded from FC4 rather
than a clean FC5 install).

> type=AVC msg=audit(1148827118.909:2493): avc:  denied  { read } \
>    for  pid=29719 comm="postmaster" name="pgsql" dev=hdb3 \
>    ino=1010804 scontext=user_u:system_r:postgresql_t:s0 \
>    tcontext=user_u:object_r:var_lib_t:s0 tclass=lnk_file
> type=PATH msg=audit(1148827118.909:2493): item=0 \
>    name="/var/lib/pgsql/data/postgresql.conf" flags=101

...

> > The existence of the symlink itself is probably the problem, rather than
> > its context. Applications have to have specific permission to be able to
> > read (and hence follow) symlinks in SELinux.
> >   
> 
> So, how can I tweak the policy so postgres can follow just this one symlink?

Set yourself up for making local policy modules:

# yum install checkpolicy
# cd /root
# mkdir selinux.local
# cd selinux.local
# chcon -R -t usr_t .
# ln -s /usr/share/selinux/devel/Makefile .

Make a local policy module for this issue, in this directory:
1. Create a file postgres.te with this content:

module postgres 0.1;

require {
        class lnk_file read;

        type postgresql_t;
        type var_lib_t;
};

# Allow postgres to read /var/lib/pgsql -> /home1/pgsql symlink
allow postgresql_t var_lib_t:lnk_file read;

2. Create a file postgres.fc with this content:

/home1/pgsql[^/]*/data(/.*)?
gen_context(system_u:object_r:postgresql_db_t,s0)

/home1/pgsql[^/]*/pgstartup.log	--
gen_context(system_u:object_r:postgresql_log_t,s0)

(that's two long lines)

3. Create an empty postgres.if file:

# touch postgres.if

4. Build the policy module

# make

Next, remove any file context objects you added for this issue using
semanage (contexts will now be managed using your local policy module):

# semanage fcontext -d -t postgresql_db_t '/home1/pgsql/data(/.*)?'
# semanage fcontext -d -t postgresql_log_t '/home1/pgsql/pgstartup.log'
# semanage fcontext -d -t postgresql_db_t '/home1/pgsql2/data(/.*)?'

Finally, install your new policy module:

# semodule -i postgres.pp

> >>> An easier way is to bind mount /home/pgsql on /var/lib/pgsql etc. and do
> >>> a restorecon -R on the "new" /var/lib/pgsql. That achieves the same
> >>> effect without the symlink.
> >>>   
> >>>       
> >> I know, but the disk I install will be (or already is) used for both my 
> >> databases
> >> and for extending /home. I created only one partition on that disk, so...
> >> The system is my home/devel machine and the disk is SATA and fast enough.
> >> Although for a high performance production machine, I would always give
> >> PostgreSQL it's own disks to separate WAL, table and index spaces.
> >>     
> >
> > Perhaps you'll use LVM next time :-)
> >   
> 
> Well, how can you merge two disks with LVM and still
> be able to record from the BTTV card to only one of them?
> Having a separate disk dedicates the disk speed to this task
> while another program can write under /home. Maybe
> my knowledge is a bit outdated, so enlightenment is welcome. :-)

You could create two partitions on the additional disk, one for
extending the space on /home and one dedicated to BTTV. Create an LVM
physical volume on each partition. Add the first physical volume to the
volume group used for /home, then extend the logical volume for /home
and resize up the partition. Create a new volume group for BTTV purposes
and add the second physical volume to it. Create a new logical volume
for BTTV, and create a new filesystem on that logical volume. Since it's
in a separate volume group, it will be allocated space only from the
fast new drive.

Paul.

More information about the fedora-list mailing list