On Tue, 2006-05-30 at 09:10, Paul Howarth wrote: [ ... ] > If that's all you have, it shouldn't be difficult to fix. > > Set yourself up for making local policy modules: > > # yum install checkpolicy > # cd /root > # mkdir selinux.local > # cd selinux.local > # chcon -R -t usr_t . > # ln -s /usr/share/selinux/devel/Makefile . > > Make a local policy module for this issue, in this directory: > > 1. Create a file postgresql.te with this content: > > module postgresql 0.1; > > require { > class dir search; > class lnk_file read; > > type home_root_t; > type postgresql_t; > type var_lib_t; > }; > > # Allow postgresql to read /var/lib/pgsql -> /home/pgsql symlink > # if present > allow postgresql_t var_lib_t:lnk_file read; > > # Allow postgresql to search directory /home > allow postgresql_t home_root_t:dir search; > > 2. Create a file postgresql.fc with this content: > > /home/pgsql -d > gen_context(system_u:object_r:var_lib_t,s0) > /home/pgsql/data(/.*)? > gen_context(system_u:object_r:postgresql_db_t,s0) > /home/pgsql/pgstartup.log -- > gen_context(system_u:object_r:postgresql_log_t,s0) > > (that's three long lines) > > 3. Create an empty postgresql.if file: > > # touch postgresql.if > > 4. Build the policy module > > # make > > Install your new policy module: > > # semodule -i postgresql.pp > > Fix file contexts: > > # restorecon -Rv /home/pgsql > > Hopefully that should get you going in enforcing mode. Well, that restorecon set all the contexts back to user_home_t. Ugh. After recursively setting the data directory to postgresql_db_t and the logfile to postgresql_log_t, service starts up without complaint. So then: postgresql started... check database located under /home/pgsql... check SELinux enforcing... yep postgresql service not excluded... yes read and write data to db... YES! Excellent. I presume I should keep these SELinux policy source files in a safe place in case this configuration is required again. Thank you so much for your assistance! I have one final question. Do you have any recommendations for decent documentation on SELinux administration? Online is alright, but book recommendations are perfectly welcome. I hope to avoid having to go through this in the future. My goal is really to understand the process. Right now, all I can do is describe the problem and hope someone can walk me through the solution as you have done. (I learn well from examples, so I know much more now that I've at least gone through it.) -Alan