[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: SELinux question



Paul Howarth írta:
Zoltan Boszormenyi wrote:
Paul Howarth írta:
Set yourself up for making local policy modules:
...
Make a local policy module for this issue, in this directory:
1. Create a file postgres.te with this content:

module postgres 0.1;
...

2. Create a file postgres.fc with this content:

/home1/pgsql[^/]*/data(/.*)?
gen_context(system_u:object_r:postgresql_db_t,s0)

/home1/pgsql[^/]*/pgstartup.log    --
gen_context(system_u:object_r:postgresql_log_t,s0)

(that's two long lines)
...
Next, remove any file context objects you added for this issue using
semanage (contexts will now be managed using your local policy module):

# semanage fcontext -d -t postgresql_db_t '/home1/pgsql/data(/.*)?'
# semanage fcontext -d -t postgresql_log_t '/home1/pgsql/pgstartup.log'
# semanage fcontext -d -t postgresql_db_t '/home1/pgsql2/data(/.*)?'

Finally, install your new policy module:

# semodule -i postgres.pp

Thanks, it almost worked. After doing these above,
I still got avc denied { search } messages like this below:

type=AVC msg=audit(1148979521.381:10): avc: denied { search } for pid=2666 comm="postmaster" name="/" dev=sda1 ino=2 scontext=system_u:system_r:postgresql_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=dir

As it turned out, /home1 was default_t and postgresql is not enabled to search
and read files in default_t context. It made it working:

# semanage fcontext -a -t var_lib_t -f -d '/home1'
# fixfiles relabel /home1

You can incorporate this into your local policy module by adding another line to postgres.fc:

/home1(/pgsql)? -d gen_context(system_u:object_r:var_lib_t,s0)

Bump the version number in postgres.te from 0.1 to 0.2 and re-run make.

You could then remove the extra fcontext object using semanage, and update the policy module:
# semodule -i postgres.pp

Having everything in the policy module is better for maintainability I think.

You are right. Thanks.

What puzzled me is starting postgresql failed at boot
but not the manual "service postgresql start" after bootup.
(Maybe different contexts are applied to the logged-in root
and the init program?)

Running the initscript should be exactly the same as the boot process. Starting the service manually (without the initscript) would be different though, as no domain transition would happen.

Both

service postgresql start

and

su - postgres
PGDATA=/home1/pgsql pg_ctl start

started successfully if I logged in as root or under "su -" from my mortal uid.
(The postgresql initscript uses "runuser" instead of "su" IIRC.)

Do the AVCs logged during the boot process show the process running as postgresql_t? If you do a "ps uaxZ", is it running as postgresql_t or unconfined_t?

It's running under postgresql_t.

The two lines above made it working again.

So it's working from bootup now?

Yes.

An easier way is to bind mount /home/pgsql on /var/lib/pgsql etc. and do
a restorecon -R on the "new" /var/lib/pgsql. That achieves the same
effect without the symlink.

Actually I missed the "bind mount" part. That would have been much easier.
But the crash course in SELinux was most fruitful, thank you.

I've just responded to another poster with almost exactly the same issue. I think this might be worth a wiki page.

It would be a good idea.

Sorry for the late answer, yesterday I donated my blood
and had to hit the bed earlier that my usual.

No problem, we all have to sleep!

Of course :-)

Best regards,
Zoltán Böszörményi


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]