Re: Trouble starting postgresql

On Tue, 2006-05-30 at 10:48, Paul Howarth wrote:
Alan M. Evans wrote:
On Tue, 2006-05-30 at 09:10, Paul Howarth wrote:
[ ... ]
If that's all you have, it shouldn't be difficult to fix.

Set yourself up for making local policy modules:

# yum install checkpolicy
# cd /root
# mkdir selinux.local
# cd selinux.local
# chcon -R -t usr_t .
# ln -s /usr/share/selinux/devel/Makefile .

Make a local policy module for this issue, in this directory:

1. Create a file postgresql.te with this content:

module postgresql 0.1;

require {
class dir search;
class lnk_file read;

type home_root_t;
type postgresql_t;
type var_lib_t;
};

# Allow postgresql to read /var/lib/pgsql -> /home/pgsql symlink
# if present
allow postgresql_t var_lib_t:lnk_file read;

# Allow postgresql to search directory /home
allow postgresql_t home_root_t:dir search;

2. Create a file postgresql.fc with this content:

/home/pgsql -d
gen_context(system_u:object_r:var_lib_t,s0)
/home/pgsql/data(/.*)?
gen_context(system_u:object_r:postgresql_db_t,s0)
/home/pgsql/pgstartup.log --
gen_context(system_u:object_r:postgresql_log_t,s0)

(that's three long lines)

3. Create an empty postgresql.if file:

# touch postgresql.if

4. Build the policy module

# make

Install your new policy module:

# semodule -i postgresql.pp

Fix file contexts:

# restorecon -Rv /home/pgsql

Hopefully that should get you going in enforcing mode.

Well, that restorecon set all the contexts back to user_home_t. Ugh.

Ugh indeed. My fix is incomplete. Can you post the output of:
# semanage fcontext -l | grep pgsql

Sure:

# semanage fcontext -l | grep pgsql
/usr/lib/pgsql/test/regress/pg_regress regular file
system_u:object_r:postgresql_exec_t:s0
/var/lib/pgsql/data(/.*)? all files
system_u:object_r:postgresql_db_t:s0
/home/pgsql/pgstartup.log regular file
system_u:object_r:postgresql_log_t:s0
/var/lib/pgsql/pgstartup.log all files
system_u:object_r:postgresql_log_t:s0
/usr/share/jonas/pgsql(/.*)? all files
system_u:object_r:postgresql_db_t:s0
/home/pgsql directory
system_u:object_r:var_lib_t:s0
/home/pgsql/data(/.*)? all files
system_u:object_r:postgresql_db_t:s0
/usr/lib/pgsql/test/regress/.*\.sh regular file
system_u:object_r:bin_t:s0
/usr/lib/pgsql/test/regres(/.*)? all files
system_u:object_r:postgresql_db_t:s0

I trust that /home/pgsql is not some user's home directory?

That is correct.

After recursively setting the data directory to postgresql_db_t and the
logfile to postgresql_log_t, service starts up without complaint. So
then:

postgresql started... check
database located under /home/pgsql... check
SELinux enforcing... yep
postgresql service not excluded... yes
read and write data to db... YES!

Excellent. I presume I should keep these SELinux policy source files in
a safe place in case this configuration is required again.

I'd keep them around for reference purposes but the policy module should
survive reboots and base policy updates.

Thank you so much for your assistance! I have one final question. Do you
have any recommendations for decent documentation on SELinux
administration? Online is alright, but book recommendations are
perfectly welcome.

Not really. I think it's too much of a moving target at the moment to
find anything that's up to date in print.

I hope to avoid having to go through this in the future. My goal is
really to understand the process. Right now, all I can do is describe
the problem and hope someone can walk me through the solution as you
have done. (I learn well from examples, so I know much more now that
I've at least gone through it.)

The way I learned about it was by reading the FC3 SELinux/Apache FAQ
(http://fedora.redhat.com/docs/selinux-apache-fc3/), which is a bit out
of date now, particularly regarding policy customization, hanging out on
fedora-selinux-list, and getting my own systems working to my own
satisfaction in enforcing mode.

The online documentation is getting better, and a good place to start is
probably: http://fedoraproject.org/wiki/SELinux

I'll have a look at those, and probably lurk the fedora-selinux-list for
awhile. You've been very helpful.

-Alan

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

Relevant Pages

  • Re: Trouble starting postgresql
    ... can just disable SELinux on the whole system or disable SELinux for postgresql. ... Disabling SELinux for postgresql allowed service startup. ... From that it should be possible to make a local policy module that will fix the SELinux problems and enable you to run in enforcing mode again. ...
    (Fedora)
  • Re: SELinux question
    ... install your new policy module: ... /home1 was default_t and postgresql is not enabled to search ... You can incorporate this into your local policy module by adding another line to postgres.fc: ... Do the AVCs logged during the boot process show the process running as postgresql_t? ...
    (Fedora)
  • Re: SELinux question
    ... another tablespace for postgresql under another mount point... ... Make a local policy module for this issue, ... remove any file context objects you added for this issue using ... I created only one partition on that disk, ...
    (Fedora)
  • Re: SELinux question
    ... semanage (contexts will now be managed using your local policy module): ... /home1 was default_t and postgresql is not enabled to search ... You can incorporate this into your local policy module by adding another line to postgres.fc: ...
    (Fedora)
  • Re: Trouble starting postgresql
    ... Set yourself up for making local policy modules: ... Make a local policy module for this issue, ... # Allow postgresql to search directory /home ...
    (Fedora)