On Sat, 3 Jul 2004 09:39, Richard Hally <rhally@xxxxxxxxxxxxxx> wrote: > Russell Coker wrote: > > Let's get back to basics and look at the concepts rather than AVC > > messages. > > > > /etc/rc.d/init.d/postgresql uses su to change uid to start the daemon, > > this is a problem as it's not compatible with the usual su operation. > > Huh? su (Substitute User) has been to "Change the effective userid and > group id" since I first learned about it in 1978. And is being used for > that purpose in the init.d/postgresql stript. It's purpose is to change the effective UID/GID for interactive sessions. >From su(1) on Fedora: su - run a shell with substitute user and group IDs >From su(1) on Debian: su is used to become another user during a login session. There's no mention I could find in the documentation of using su for starting daemons. I think that there is no good reason for using su in this manner, and some good reasons for not doing so. The postgresql start scripts will have to be changed. > > /etc/rc.d/init.d/postgresql does lots of things other than just starting > > a daemon, for example the code after: > > echo -n $"Initializing database: " > > Maybe we need a restorecon where it creates the data directory(if not > already present (a rare occurance)). It might be rare in terms of the number of times the daemon is started, but from my understanding of the script it's expected to be done the first time the daemon is started. So it's inevitable that it happens at least once, and therefore we have to handle it. > The real work part of initializing the data directory is done with "su > -l postgres -c ..." just like the part that starts the server(i.e. su -l > postgres -c ...) > > What is it about pam_selinux that is causing the problem? The fact that there is no identity, role, and domain defined for Postgres. We can configure the SE Linux policy to allow this, but it's the wrong approach. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
