ps -o pid,command,context -C postgresI only get the header.
PID COMMAND CONTEXTThe postgresql service uses the command "postmaster," a symbolic link to "postgres" to start the postgres processes on my system.
I had to use:
ps -o pid,command,context -C postmasterand got:
PID COMMAND CONTEXTThe command could change depending on how you start postgresql. I start it as a service and the service uses postmaster.
1365 /usr/bin/postmaster -D /var system_u:system_r:postgresql_t:s0
1464 postgres: logger system_u:system_r:postgresql_t:s0
1485 postgres: checkpointer system_u:system_r:postgresql_t:s0
1486 postgres: background writer system_u:system_r:postgresql_t:s0
1487 postgres: walwriter system_u:system_r:postgresql_t:s0
1488 postgres: autovacuum launch system_u:system_r:postgresql_t:s0
1489 postgres: stats collector system_u:system_r:postgresql_t:s0
1490 postgres: logical replicati system_u:system_r:postgresql_t:s0
systemctl status postgresql.serviceJohn
● postgresql.service - PostgreSQL database server
Loaded: loaded (/usr/lib/systemd/system/postgresql.service; enabled; preset: disabled)
Active: active (running) since Sun 2025-01-12 16:13:40 EST; 2 days ago
Main PID: 1365 (postmaster)
Tasks: 8 (limit: 202619)
Memory: 93.3M
CPU: 2min 4.734s
CGroup: /system.slice/postgresql.service
├─1365 /usr/bin/postmaster -D /var/lib/pgsql/data
├─1464 "postgres: logger "
├─1485 "postgres: checkpointer "
├─1486 "postgres: background writer "
├─1487 "postgres: walwriter "
├─1488 "postgres: autovacuum launcher "
├─1489 "postgres: stats collector "
└─1490 "postgres: logical replication launcher "
On 1/15/25 10:43, Sam Morris via
selinux wrote:
On 13/01/2025 14:09, justina colmena ~biz via selinux wrote:
Why is PostgreSQL running in unconfined_service_t,
I don't think any replies to your message have addressed this. but...
time->Mon Jan 13 13:36:10 2025
type=AVC msg=audit(1736775370.067:3485): avc: denied { connectto } for
pid=1425 comm="php-fpm" path="/run/postgresql/.s.PGSQL.5432"
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket
permissive=1
I think this is telling you that the socket file context is "system_u:system_r:unconfined_service_t:s0". It doesn't necessarily mean that postgresql is running with that context, though 'ps -o pid,command,context -C postgres' should confirm.
On my system:
# semanage fcontext -l | grep /run/postgresql
/run/postgresql(/.*)? all files system_u:object_r:postgresql_var_run_t:s0
... so figuring out why your socket is labelled incorrectly would be the first thing I'd investigate.
If postgresql was really running as unconfined_service_t then I'd debug the type transition process explained at <https://wiki.gentoo.org/wiki/SELinux/Tutorials/How_does_a_process_get_into_a_certain_context>. Once postgresql is running in the expected context & the socket file has the right label, then I'd resume configuring the system so that processes running as httpd_t can connect to it.
-- _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
