Re: SELinux question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sun, 2006-05-28 at 20:33 +0200, Zoltan Boszormenyi wrote:
> Paul Howarth írta:
> > On Sun, 2006-05-28 at 17:13 +0200, Zoltan Boszormenyi wrote:
> >   
> >> Hi,
> >>
> >> answering to myself. :-)
> >>
> >> Zoltan Boszormenyi írta:
> >>     
> >>> So, how can I fix the current situation and include /home1/pgsql in
> >>> the postgresql context/domain? I would like to relabel it to recover 
> >>> the context...
> >>>
> >>> BTW the same principle would apply if one would like to create
> >>> another tablespace for postgresql under another mount point...
> >>>       
> >> After some more RTFM, it would seem simple:
> >>
> >> semanage fcontext -a -t postgresql_db_t '/home1/pgsql/data(/.*)?'
> >> semanage fcontext -a -t postgresql_log_t '/home1/pgsql/pgstartup.log'
> >> fixfiles relabel /home1/pgsql
> >>
> >> But it was not enough. Starting it with "service postgresql start" fails.
> >> I had to modify the rc script, too. I had to replace /var/lib/pgsql with
> >> /home1/pgsql everywhere despite the /var/lib/pgsql -> /home1/pgsql symlink.
> >>     
> >
> > This will be failing because SELinux is blocking access to reading the
> > symlink. You should find an avc denial for the lnk_file in your logs.
> >   
> 
> I haven't found any. :-(

Perhaps you won't find any now because it's never trying to
access /var/lib/pgsql since you changed the configs to get around the
problem? Are there none from first attempt?

> Can this difference below cause the problem?
> 
> [root@localhost log]# ls -d --scontext /var/lib/pgsql
> user_u:object_r:var_lib_t        /var/lib/pgsql -> /home1/pgsql
> [root@localhost log]# ls -d --scontext /var/lib/pgsql/
> system_u:object_r:default_t      /var/lib/pgsql/
> 
> Adding /home1/pgsql with var_lib_t context didn't make any difference, 
> though.

The existence of the symlink itself is probably the problem, rather than
its context. Applications have to have specific permission to be able to
read (and hence follow) symlinks in SELinux.

> >> But this is enough for adding another tablespace under e.g. /home1/pgsql2:
> >>
> >> mkdir -p /home1/pgsql2/data
> >> chown -R postgres.postgres /home1/pgsql2
> >> semanage fcontext -a -t postgresql_db_t '/home1/pgsql2/data(/.*)?'
> >> fixfiles relabel /home1/pgsql2
> >>     
> >
> > An easier way is to bind mount /home/pgsql on /var/lib/pgsql etc. and do
> > a restorecon -R on the "new" /var/lib/pgsql. That achieves the same
> > effect without the symlink.
> >   
> 
> I know, but the disk I install will be (or already is) used for both my 
> databases
> and for extending /home. I created only one partition on that disk, so...
> The system is my home/devel machine and the disk is SATA and fast enough.
> Although for a high performance production machine, I would always give
> PostgreSQL it's own disks to separate WAL, table and index spaces.

Perhaps you'll use LVM next time :-)

Paul.

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux