Alan M. Evans wrote:
On Tue, 2006-05-30 at 09:10, Paul Howarth wrote:
[ ... ]
If that's all you have, it shouldn't be difficult to fix.
Set yourself up for making local policy modules:
# yum install checkpolicy
# cd /root
# mkdir selinux.local
# cd selinux.local
# chcon -R -t usr_t .
# ln -s /usr/share/selinux/devel/Makefile .
Make a local policy module for this issue, in this directory:
1. Create a file postgresql.te with this content:
module postgresql 0.1;
require {
class dir search;
class lnk_file read;
type home_root_t;
type postgresql_t;
type var_lib_t;
};
# Allow postgresql to read /var/lib/pgsql -> /home/pgsql symlink
# if present
allow postgresql_t var_lib_t:lnk_file read;
# Allow postgresql to search directory /home
allow postgresql_t home_root_t:dir search;
2. Create a file postgresql.fc with this content:
/home/pgsql -d
gen_context(system_u:object_r:var_lib_t,s0)
/home/pgsql/data(/.*)?
gen_context(system_u:object_r:postgresql_db_t,s0)
/home/pgsql/pgstartup.log --
gen_context(system_u:object_r:postgresql_log_t,s0)
(that's three long lines)
3. Create an empty postgresql.if file:
# touch postgresql.if
4. Build the policy module
# make
Install your new policy module:
# semodule -i postgresql.pp
Fix file contexts:
# restorecon -Rv /home/pgsql
Hopefully that should get you going in enforcing mode.
Well, that restorecon set all the contexts back to user_home_t. Ugh.
Ugh indeed. My fix is incomplete. Can you post the output of:
# semanage fcontext -l | grep pgsql
I trust that /home/pgsql is not some user's home directory?
After recursively setting the data directory to postgresql_db_t and the
logfile to postgresql_log_t, service starts up without complaint. So
then:
postgresql started... check
database located under /home/pgsql... check
SELinux enforcing... yep
postgresql service not excluded... yes
read and write data to db... YES!
Excellent. I presume I should keep these SELinux policy source files in
a safe place in case this configuration is required again.
I'd keep them around for reference purposes but the policy module should
survive reboots and base policy updates.
Thank you so much for your assistance! I have one final question. Do you
have any recommendations for decent documentation on SELinux
administration? Online is alright, but book recommendations are
perfectly welcome.
Not really. I think it's too much of a moving target at the moment to
find anything that's up to date in print.
I hope to avoid having to go through this in the future. My goal is
really to understand the process. Right now, all I can do is describe
the problem and hope someone can walk me through the solution as you
have done. (I learn well from examples, so I know much more now that
I've at least gone through it.)
The way I learned about it was by reading the FC3 SELinux/Apache FAQ
(http://fedora.redhat.com/docs/selinux-apache-fc3/), which is a bit out
of date now, particularly regarding policy customization, hanging out on
fedora-selinux-list, and getting my own systems working to my own
satisfaction in enforcing mode.
The online documentation is getting better, and a good place to start is
probably: http://fedoraproject.org/wiki/SELinux
Paul.
