Re: Reg. postgres running in unconfined_t after enabling selinux

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/09/2013 06:26 AM, Ramkumar Raghavan wrote:
> Hi,
> 
> I am doing testing of implementing selinux in our application.
> 
> 
> 
> I  am using RHEL6.2 and the selinux enforced in targeted mode.
> 
> 
> 
> All the application/postgresql  data is in the NFS mount with all the
> contents labeled as nfs_t.
> 
> 
> 
> I have given httpd Boolean access to nfs.
> 
> 
> 
> When I start the postgres it starts as unconfined_t domain.
> 
> 
> 
> ps -eZ | egrep 'httpd|java|postmaster'
> 
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5853 ? 00:00:01
> postmaster
> 
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5854 ? 00:00:00
> postmaster
> 
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5860 ? 00:00:00
> postmaster
> 
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5861 ? 00:00:00
> postmaster
> 
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5862 ? 00:00:00
> postmaster
> 
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5863 ? 00:00:00
> postmaster
> 
> unconfined_u:system_r:httpd_t:s0 14794 ?       00:00:00 httpd
> 
> unconfined_u:system_r:httpd_t:s0 14796 ?       00:00:00 httpd
> 
> unconfined_u:system_r:httpd_t:s0 14797 ?       00:00:00 httpd
> 
> unconfined_u:system_r:httpd_t:s0 14798 ?       00:00:18 httpd
> 
> unconfined_u:system_r:httpd_t:s0 14799 ?       00:00:00 httpd
> 
> unconfined_u:system_r:httpd_t:s0 14800 ?       00:00:00 httpd
> 
> unconfined_u:system_r:httpd_t:s0 14801 ?       00:00:00 httpd
> 
> unconfined_u:system_r:httpd_t:s0 14802 ?       00:00:00 httpd
> 
> unconfined_u:system_r:httpd_t:s0 14803 ?       00:00:00 httpd
> 
> unconfined_u:unconfined_r:unconfined_java_t:s0-s0:c0.c1023 14851 ? 00:00:06
> java
> 
> unconfined_u:unconfined_r:unconfined_java_t:s0-s0:c0.c1023 14978 ? 00:02:57
> java
> 
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 16426 ? 00:00:01
> postmaster
> 
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 16521 ? 00:00:00
> postmaster
> 
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 16522 ? 00:00:00
> postmaster
> 
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 16523 ? 00:00:00
> postmaster
> 
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 16524 ? 00:00:00
> postmaster
> 
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 16525 ? 00:00:00
> postmaster
> 
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 16526 ? 00:00:00
> postmaster
> 
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 16527 ? 00:00:00
> postmaster
> 
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 16528 ? 00:00:00
> postmaster
> 
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 16529 ? 00:00:00
> postmaster
> 
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 16530 ? 00:00:00
> postmaster
> 
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 16633 ? 00:00:00
> postmaster
> 
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 16634 ? 00:00:00
> postmaster
> 
> unconfined_u:system_r:httpd_t:s0 16702 ?       00:00:00 httpd
> 
> unconfined_u:unconfined_r:unconfined_java_t:s0-s0:c0.c1023 17129 ? 00:00:06
> java
> 
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 17201 ? 00:00:00
> postmaster
> 
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 17205 ? 00:00:00
> postmaster
> 
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 17206 ? 00:00:00
> postmaster
> 
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 17207 ? 00:00:00
> postmaster
> 
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 17208 ? 00:00:00
> postmaster
> 
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 17209 ? 00:00:00
> postmaster
> 
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 17216 ? 00:00:00
> postmaster
> 
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 17217 ? 00:00:00
> postmaster
> 
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 17218 ? 00:00:00
> postmaster
> 
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 17219 ? 00:00:00
> postmaster
> 
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 17220 ? 00:00:00
> postmaster
> 
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 17221 ? 00:00:00
> postmaster
> 
> unconfined_u:unconfined_r:unconfined_java_t:s0-s0:c0.c1023 17260 pts/1
> 00:00:05 java
> 
> unconfined_u:system_r:httpd_t:s0 20918 ?       00:00:00 httpd
> 
> unconfined_u:system_r:httpd_t:s0 20921 ?       00:00:00 httpd
> 
> unconfined_u:system_r:httpd_t:s0 20922 ?       00:00:00 httpd
> 
> unconfined_u:unconfined_r:unconfined_java_t:s0-s0:c0.c1023 22851 ? 00:00:13
> java
> 
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 22910 ? 00:00:00
> postmaster
> 
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 22911 ? 00:00:00
> postmaster
> 
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 22912 ? 00:00:00
> postmaster
> 
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 22913 ? 00:00:00
> postmaster
> 
> 
> 
> Please advice if this fine or should I change the it..
> 
> 
> -- Ramkumar Raghavan
> 
> 
> 
> 
> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx 
> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 

We don't transition from unconfined_t to postgresql_master_t.

These two blogs should help explain

http://danwalsh.livejournal.com/30084.html
http://danwalsh.livejournal.com/23944.html

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlDtd/gACgkQrlYvE4MpobN1NQCeIz4dJEF2vBC4AKXzfWduH7ph
ATIAnR/B/Eg1lu6OgPnqVi/BoJqy9nnL
=brIS
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux