On 07/23/2010 01:50 PM, Marcelo Roccasalva wrote:
> Anyway, what are the best practices to allow postgresql "copy to" a
> subdirectory of a home directory (without disabling selinux)? I'm
> running centos 5.5.
The first thing you'll want to do is enable auditing. One of the items
in Fedora's SELinux FAQ
(http://docs.fedoraproject.org/en-US/Fedora/13/html/SELinux_FAQ/)
indicates that you'd do so with:
# semodule -b /usr/share/selinux/targeted/enableaudit.pp
Once auditing is enabled, make sure SELinux is in permissive mode.
Start watching the audit log for your denial messages:
# tail -f /var/log/audit/audit.log
Ask the SQL server to "copy to" a denied location again. When it
completes, use Ctrl+C to cancel the log "tail" and then re-enable the
standard "dontaudit" rules:
# semodule -b /usr/share/selinux/targeted/base.pp
Now that you have the audit logs that correspond to the denial which
you'd like to reverse, you can create a new module to allow that
access. Use "audit2allow" to create the module. You can name the
module whatever you like. Paste the lines from audit.log which
correspond to the access you'd like to allow. When finished, use Ctrl+D
to indicate the end of input:
# audit2allow -M allowPostToHome
> paste logs
> Ctrl+D
audit2allow will create a module source file called allowPostToHome.te
and then compile it to a file called allowPostToHome.pp. It will
indicate that you need to load the module file with semodule, which
you'll need to do:
# semodule -i allowPostToHome.pp
After that, PostgreSQL should be able to perform the action which was
previously denied, but still retains other aspects of its SELinux
configuration. Once the module is loaded, the policy has been changed.
semodule will also copy the module file to a location where it will be
loaded on future system boots so that it remains active.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
