Postgres directory context

"James Young" <jsyoung72@xxxxxxxxx> · Fri, 12 Jan 2007 06:07:48 -0600

Does selinux check context on the whole directory hierarchy when making a decision about permission to enter a directory? That is, when I try to access /home/Data/pgsql, will it check the context on /home, then /home/Data, and then on /home/Data/pgsql? Or will it only check the context on /home/Data/pgsql?

I want to put a Postgres database in a /home/Data/pgsql/data directory, but the initrc script will not run it there. I can run it as the postgres user. The contexts mirror the /var/lib/pgsql/data directory: user_u:object_r:postgres_db_t. The context of /home/Data/pgsql is system_u:object_r:var_lib_t.  

It does run fine with initrc in /var/lib/pgsql. When I leave the pgstartup.log in /var/lib/pgsql, I see the errors below. It doesn't matter whether the database is already initialized or not. The contexts for the /home/Data/pgsql directory are listed below as well. /home/Data is system_u:object_r:user_home_dir_t.

I don't see anything in /var/log/audit/audit.log, but I think dontaudit rules may  be in effect.

Does Fedora use the reference policy from Tresys exactly? If not, where can I find the source policy for Fedora. All I can find are the if files. 

Finally, are there any better references for selinux. Everything I've read seems dated.

Thanks,
Jim Young

pgstartup.log:
-------------------------
could not change directory to "/home/Data/pgsql"

initdb: could not access directory "/home/Data/pgsql/data": Permission denied
The files belonging to this database system will be owned by user "postgres".
This user must also own the server process.

The database cluster will be initialized with locale en_US.UTF-8.
The default database encoding has accordingly been set to UTF8.

postmaster cannot access the server configuration file "/home/Data/pgsql/data/postgresql.conf": Permission denied

could not change directory to "/home/Data/pgsql"
initdb: could not access directory "/home/Data/pgsql/data": Permission denied
The files belonging to this database system will be owned by user "postgres".

This user must also own the server process.

The database cluster will be initialized with locale en_US.UTF-8.
The default database encoding has accordingly been set to UTF8.

postmaster cannot access the server configuration file "/home/Data/pgsql/data/postgresql.conf": Permission denied

-----------

directory contexts:
-------------------------------
ls -Zd /home/Data/pgsql
drwx------  postgres postgres system_u:object_r:var_lib_t      /home/Data/pgsql

ls -Z /home/Data/pgsql

drwx------  postgres postgres system_u:object_r:var_lib_t      backups
drwx------  postgres postgres system_u:object_r:postgresql_db_t data
-rw-------  postgres postgres system_u:object_r:postgresql_log_t pgstartup.log

ls -Z /home/Data/pgsql/data
drwx------  postgres postgres user_u:object_r:postgresql_db_t  base
drwx------  postgres postgres user_u:object_r:postgresql_db_t  global
drwx------  postgres postgres user_u:object_r:postgresql_db_t  pg_clog

-rw-------  postgres postgres user_u:object_r:postgresql_db_t  pg_hba.conf
-rw-------  postgres postgres user_u:object_r:postgresql_db_t  pg_ident.conf
drwx------  postgres postgres user_u:object_r:postgresql_db_t  pg_log

drwx------  postgres postgres user_u:object_r:postgresql_db_t  pg_multixact
drwx------  postgres postgres user_u:object_r:postgresql_db_t  pg_subtrans
drwx------  postgres postgres user_u:object_r:postgresql_db_t  pg_tblspc

drwx------  postgres postgres user_u:object_r:postgresql_db_t  pg_twophase
-rw-------  postgres postgres user_u:object_r:postgresql_db_t  PG_VERSION
drwx------  postgres postgres user_u:object_r:postgresql_db_t  pg_xlog

-rw-------  postgres postgres user_u:object_r:postgresql_db_t  postgresql.conf
-rw-------  postgres postgres user_u:object_r:postgresql_db_t  postmaster.opts

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list