Re: Trouble starting postgresql

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, 2006-05-30 at 09:10, Paul Howarth wrote:
[ ... ]
> If that's all you have, it shouldn't be difficult to fix.
> 
> Set yourself up for making local policy modules:
> 
> # yum install checkpolicy
> # cd /root
> # mkdir selinux.local
> # cd selinux.local
> # chcon -R -t usr_t .
> # ln -s /usr/share/selinux/devel/Makefile .
> 
> Make a local policy module for this issue, in this directory:
> 
> 1. Create a file postgresql.te with this content:
> 
> module postgresql 0.1;
> 
> require {
>          class dir search;
>          class lnk_file read;
> 
>          type home_root_t;
>          type postgresql_t;
>          type var_lib_t;
> };
> 
> # Allow postgresql to read /var/lib/pgsql -> /home/pgsql symlink
> # if present
> allow postgresql_t var_lib_t:lnk_file read;
> 
> # Allow postgresql to search directory /home
> allow postgresql_t home_root_t:dir search;
> 
> 2. Create a file postgresql.fc with this content:
> 
> /home/pgsql                     -d 
> gen_context(system_u:object_r:var_lib_t,s0)
> /home/pgsql/data(/.*)? 
> gen_context(system_u:object_r:postgresql_db_t,s0)
> /home/pgsql/pgstartup.log       -- 
> gen_context(system_u:object_r:postgresql_log_t,s0)
> 
> (that's three long lines)
> 
> 3. Create an empty postgresql.if file:
> 
> # touch postgresql.if
> 
> 4. Build the policy module
> 
> # make
> 
> Install your new policy module:
> 
> # semodule -i postgresql.pp
> 
> Fix file contexts:
> 
> # restorecon -Rv /home/pgsql
> 
> Hopefully that should get you going in enforcing mode.

Well, that restorecon set all the contexts back to user_home_t. Ugh.

After recursively setting the data directory to postgresql_db_t and the
logfile to postgresql_log_t, service starts up without complaint. So
then:

  postgresql started... check
  database located under /home/pgsql... check
  SELinux enforcing... yep
  postgresql service not excluded... yes
  read and write data to db... YES!

Excellent. I presume I should keep these SELinux policy source files in
a safe place in case this configuration is required again.

Thank you so much for your assistance! I have one final question. Do you
have any recommendations for decent documentation on SELinux
administration? Online is alright, but book recommendations are
perfectly welcome.

I hope to avoid having to go through this in the future. My goal is
really to understand the process. Right now, all I can do is describe
the problem and hope someone can walk me through the solution as you
have done. (I learn well from examples, so I know much more now that
I've at least gone through it.)

-Alan

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux