Let's get back to basics and look at the concepts rather than AVC messages. /etc/rc.d/init.d/postgresql uses su to change uid to start the daemon, this is a problem as it's not compatible with the usual su operation. Changing su is not the right solution as we don't even need 1% of the functionality of su, all we need is a way to call setregid() and setreuid() before executing the script. I'm not sure if we already have a program we can use for this purpose (sudo is not suitable). For a test I spent 30 minutes writing a program that provides all of the su functionality we need for such things, we'll have to include that program if we don't have something better (we should have something better). /etc/rc.d/init.d/postgresql does lots of things other than just starting a daemon, for example the code after: echo -n $"Initializing database: " I tried labelling /etc/rc.d/init.d/postgresql as postgresql_exec_t, however the postgresql_t domain does not have access to write to the administrator console (and such access is not desired), it does not have access to rhgb_t, and there's some other things it needs access to. I think that perhaps the correct thing to do is to re-write /etc/rc.d/init.d/postgresql to call a separate script with type postgresql_exec_t to do the "Initializing database" thing. I'll look into that tomorrow. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
