Richard Hally wrote:
Daniel J Walsh wrote:
I added the /usr/bin/postgres postgresql_exec_t file context (and relabeled) and it still would not start when booting. Below are the allow rules(generated by audit2allow) that were necessary to get the server to start. I did not comment out any pam_selinux.so line in /etc/pam.d/su. That doesn't seem like the right thing to do.Richard Hally wrote:
Yuichi Nakamura wrote:
On Wed, 16 Jun 2004 00:31:58 -0400 Richard Hally <rhallyx@xxxxxxxxxxxxxx> wrote:
With the above change to the postgresql.fc I get the following avc denied messages when booting:
You must add /usr/bin/postgres -- system_u:object_r:postgresql_exec_t
to postgresql.fc
and , comment out session optional /lib/security/$ISA/pam_selinux.so multiple
from /etc/pam.d/su.
Thanks for the reply, it looks to me that the problem is more like the policy and file_contexts were written for the way Debian(or some other distro) installs PostgresSQL and Fedora installs things differently. The most notable is that in the .fc it has the only postgresql_exec_t with a regex for /usr/lib(64)?/postgresql/bin/.* and on Fedora the executables are in /usr/bin.
The question I have is: how do we handle these case where different distros put the same files in different places? Do we continue to add to the policy for each different distro?
Yes we put the stuff in both places.
Thanks,
Richard Hally
allow initrc_su_t postgresql_db_t:dir { search }; allow user_t postgresql_db_t:dir { add_name getattr read remove_name search write }; allow user_t postgresql_db_t:file { create getattr read rename unlink write };
You need to setup a server user that can transition to postgresql. A transition never happened.
Dan
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-selinux-list
