[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Postgres directory context



Sorry it took me so long to reply back. It's been a busy weekend.

Bind mounting worked. I actually changed /home/ to /Data and bind mounted /home/ onto /Data/home and then created /Data/pgsql, changing the default context to those of /var/lib/pgsql. That didn't work, even when I changed /Data to system_u:object_r:var_t, /Data/pgsql to system_u:object_r:var_lib_t, and /Data/pgsql/data to system_u:object_r:postgresql_db_t. I thought maybe selinux only allowed transition to var_lib_t from var_t, and then to postgres_db_t from var_lib_t. Is that how it works with the directory hierarchy?

Anyway, I moved /var/lib/pgsql /var/lib/pgsql.bk, bind mounted /Data/pgsql/ to /var/lib/pgsql and remove /etc/sysconfig/pgsql/postgresql. That worked. I just hope the developers don't see stuff like that as a security hole and fix it.

Have they changed the wiki? It seems like they have more useful info in there, than what I've found in the past. Then again, most of my visits to the wiki were from Google links. Maybe I just needed to visit the home page.

Thanks for all your help.
Jim Young

On 1/12/07, Paul Howarth <paul city-fan org> wrote:
James Young wrote:
> Does selinux check context on the whole directory hierarchy when making a
> decision about permission to enter a directory? That is, when I try to
> access /home/Data/pgsql, will it check the context on /home, then
> /home/Data, and then on /home/Data/pgsql? Or will it only check the context
> on /home/Data/pgsql?
>
> I want to put a Postgres database in a /home/Data/pgsql/data directory, but
> the initrc script will not run it there. I can run it as the postgres user.
> The contexts mirror the /var/lib/pgsql/data directory:
> user_u:object_r:postgres_db_t. The context of /home/Data/pgsql is
> system_u:object_r:var_lib_t.

The whole hierarchy must be readable. Putting server data under /home
always causes problems. I'd suggest bind mounting /home/Data/pgsql to
/var/lib/pgsql or something similar.

You could change the context type of /home/Data to var_t but you'd
probably still have issues with /home itself.

> Does Fedora use the reference policy from Tresys exactly? If not, where can
> I find the source policy for Fedora. All I can find are the if files.

The selinux-policy SRPM.

> Finally, are there any better references for selinux. Everything I've read
> seems dated.

http://fedoraproject.org/wiki/SELinux is a decent starting point.

Paul.



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]