Re: Trouble starting postgresql

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Alan M. Evans wrote:

On Tue, 2006-05-30 at 10:48, Paul Howarth wrote:

Alan M. Evans wrote:

On Tue, 2006-05-30 at 09:10, Paul Howarth wrote:
[ ... ]

If that's all you have, it shouldn't be difficult to fix.

Set yourself up for making local policy modules:

# yum install checkpolicy
# cd /root
# mkdir selinux.local
# cd selinux.local
# chcon -R -t usr_t .
# ln -s /usr/share/selinux/devel/Makefile .

Make a local policy module for this issue, in this directory:

1. Create a file postgresql.te with this content:

module postgresql 0.1;

require {
         class dir search;
         class lnk_file read;

         type home_root_t;
         type postgresql_t;
         type var_lib_t;
};

# Allow postgresql to read /var/lib/pgsql -> /home/pgsql symlink
# if present
allow postgresql_t var_lib_t:lnk_file read;

# Allow postgresql to search directory /home
allow postgresql_t home_root_t:dir search;

2. Create a file postgresql.fc with this content:
/home/pgsql -d gen_context(system_u:object_r:var_lib_t,s0) /home/pgsql/data(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0) /home/pgsql/pgstartup.log -- gen_context(system_u:object_r:postgresql_log_t,s0) 

(that's three long lines)

3. Create an empty postgresql.if file:

# touch postgresql.if

4. Build the policy module

# make

Install your new policy module:

# semodule -i postgresql.pp

Fix file contexts:

# restorecon -Rv /home/pgsql

Hopefully that should get you going in enforcing mode.

Well, that restorecon set all the contexts back to user_home_t. Ugh.

Ugh indeed. My fix is incomplete. Can you post the output of:
# semanage fcontext -l | grep pgsql


Sure:

# semanage fcontext -l | grep pgsql
/usr/lib/pgsql/test/regress/pg_regress regular file system_u:object_r:postgresql_exec_t:s0 /var/lib/pgsql/data(/.*)? all files system_u:object_r:postgresql_db_t:s0 /home/pgsql/pgstartup.log regular file system_u:object_r:postgresql_log_t:s0 /var/lib/pgsql/pgstartup.log all files system_u:object_r:postgresql_log_t:s0 /usr/share/jonas/pgsql(/.*)? all files system_u:object_r:postgresql_db_t:s0 /home/pgsql directory system_u:object_r:var_lib_t:s0 /home/pgsql/data(/.*)? all files system_u:object_r:postgresql_db_t:s0 /usr/lib/pgsql/test/regress/.*\.sh regular file system_u:object_r:bin_t:s0 /usr/lib/pgsql/test/regres(/.*)? all files system_u:object_r:postgresql_db_t:s0 


I trust that /home/pgsql is not some user's home directory?


That is correct.
It appears that there is no easy fix for this problem, other than moving the data somewhere other than under /home: 

http://www.redhat.com/archives/fedora-selinux-list/2006-May/msg00253.html

Paul.

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux