Re: Trouble starting postgresql

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 2006-05-30 at 09:10, Paul Howarth wrote:
[ ... ]
> If that's all you have, it shouldn't be difficult to fix.
> 
> Set yourself up for making local policy modules:
> 
> # yum install checkpolicy
> # cd /root
> # mkdir selinux.local
> # cd selinux.local
> # chcon -R -t usr_t .
> # ln -s /usr/share/selinux/devel/Makefile .
> 
> Make a local policy module for this issue, in this directory:
> 
> 1. Create a file postgresql.te with this content:
> 
> module postgresql 0.1;
> 
> require {
>          class dir search;
>          class lnk_file read;
> 
>          type home_root_t;
>          type postgresql_t;
>          type var_lib_t;
> };
> 
> # Allow postgresql to read /var/lib/pgsql -> /home/pgsql symlink
> # if present
> allow postgresql_t var_lib_t:lnk_file read;
> 
> # Allow postgresql to search directory /home
> allow postgresql_t home_root_t:dir search;
> 
> 2. Create a file postgresql.fc with this content:
> 
> /home/pgsql                     -d 
> gen_context(system_u:object_r:var_lib_t,s0)
> /home/pgsql/data(/.*)? 
> gen_context(system_u:object_r:postgresql_db_t,s0)
> /home/pgsql/pgstartup.log       -- 
> gen_context(system_u:object_r:postgresql_log_t,s0)
> 
> (that's three long lines)
> 
> 3. Create an empty postgresql.if file:
> 
> # touch postgresql.if
> 
> 4. Build the policy module
> 
> # make
> 
> Install your new policy module:
> 
> # semodule -i postgresql.pp
> 
> Fix file contexts:
> 
> # restorecon -Rv /home/pgsql
> 
> Hopefully that should get you going in enforcing mode.

Well, that restorecon set all the contexts back to user_home_t. Ugh.

After recursively setting the data directory to postgresql_db_t and the
logfile to postgresql_log_t, service starts up without complaint. So
then:

  postgresql started... check
  database located under /home/pgsql... check
  SELinux enforcing... yep
  postgresql service not excluded... yes
  read and write data to db... YES!

Excellent. I presume I should keep these SELinux policy source files in
a safe place in case this configuration is required again.

Thank you so much for your assistance! I have one final question. Do you
have any recommendations for decent documentation on SELinux
administration? Online is alright, but book recommendations are
perfectly welcome.

I hope to avoid having to go through this in the future. My goal is
really to understand the process. Right now, all I can do is describe
the problem and hope someone can walk me through the solution as you
have done. (I learn well from examples, so I know much more now that
I've at least gone through it.)

-Alan


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux