On Tue, 2006-05-30 at 10:48, Paul Howarth wrote:
> Alan M. Evans wrote:
> > On Tue, 2006-05-30 at 09:10, Paul Howarth wrote:
> > [ ... ]
> >> If that's all you have, it shouldn't be difficult to fix.
> >>
> >> Set yourself up for making local policy modules:
> >>
> >> # yum install checkpolicy
> >> # cd /root
> >> # mkdir selinux.local
> >> # cd selinux.local
> >> # chcon -R -t usr_t .
> >> # ln -s /usr/share/selinux/devel/Makefile .
> >>
> >> Make a local policy module for this issue, in this directory:
> >>
> >> 1. Create a file postgresql.te with this content:
> >>
> >> module postgresql 0.1;
> >>
> >> require {
> >> class dir search;
> >> class lnk_file read;
> >>
> >> type home_root_t;
> >> type postgresql_t;
> >> type var_lib_t;
> >> };
> >>
> >> # Allow postgresql to read /var/lib/pgsql -> /home/pgsql symlink
> >> # if present
> >> allow postgresql_t var_lib_t:lnk_file read;
> >>
> >> # Allow postgresql to search directory /home
> >> allow postgresql_t home_root_t:dir search;
> >>
> >> 2. Create a file postgresql.fc with this content:
> >>
> >> /home/pgsql -d
> >> gen_context(system_u:object_r:var_lib_t,s0)
> >> /home/pgsql/data(/.*)?
> >> gen_context(system_u:object_r:postgresql_db_t,s0)
> >> /home/pgsql/pgstartup.log --
> >> gen_context(system_u:object_r:postgresql_log_t,s0)
> >>
> >> (that's three long lines)
> >>
> >> 3. Create an empty postgresql.if file:
> >>
> >> # touch postgresql.if
> >>
> >> 4. Build the policy module
> >>
> >> # make
> >>
> >> Install your new policy module:
> >>
> >> # semodule -i postgresql.pp
> >>
> >> Fix file contexts:
> >>
> >> # restorecon -Rv /home/pgsql
> >>
> >> Hopefully that should get you going in enforcing mode.
> >
> > Well, that restorecon set all the contexts back to user_home_t. Ugh.
>
> Ugh indeed. My fix is incomplete. Can you post the output of:
> # semanage fcontext -l | grep pgsql
Sure:
# semanage fcontext -l | grep pgsql
/usr/lib/pgsql/test/regress/pg_regress regular file
system_u:object_r:postgresql_exec_t:s0
/var/lib/pgsql/data(/.*)? all files
system_u:object_r:postgresql_db_t:s0
/home/pgsql/pgstartup.log regular file
system_u:object_r:postgresql_log_t:s0
/var/lib/pgsql/pgstartup.log all files
system_u:object_r:postgresql_log_t:s0
/usr/share/jonas/pgsql(/.*)? all files
system_u:object_r:postgresql_db_t:s0
/home/pgsql directory
system_u:object_r:var_lib_t:s0
/home/pgsql/data(/.*)? all files
system_u:object_r:postgresql_db_t:s0
/usr/lib/pgsql/test/regress/.*\.sh regular file
system_u:object_r:bin_t:s0
/usr/lib/pgsql/test/regres(/.*)? all files
system_u:object_r:postgresql_db_t:s0
> I trust that /home/pgsql is not some user's home directory?
That is correct.
> > After recursively setting the data directory to postgresql_db_t and the
> > logfile to postgresql_log_t, service starts up without complaint. So
> > then:
> >
> > postgresql started... check
> > database located under /home/pgsql... check
> > SELinux enforcing... yep
> > postgresql service not excluded... yes
> > read and write data to db... YES!
> >
> > Excellent. I presume I should keep these SELinux policy source files in
> > a safe place in case this configuration is required again.
>
> I'd keep them around for reference purposes but the policy module should
> survive reboots and base policy updates.
>
> > Thank you so much for your assistance! I have one final question. Do you
> > have any recommendations for decent documentation on SELinux
> > administration? Online is alright, but book recommendations are
> > perfectly welcome.
>
> Not really. I think it's too much of a moving target at the moment to
> find anything that's up to date in print.
>
> > I hope to avoid having to go through this in the future. My goal is
> > really to understand the process. Right now, all I can do is describe
> > the problem and hope someone can walk me through the solution as you
> > have done. (I learn well from examples, so I know much more now that
> > I've at least gone through it.)
>
> The way I learned about it was by reading the FC3 SELinux/Apache FAQ
> (http://fedora.redhat.com/docs/selinux-apache-fc3/), which is a bit out
> of date now, particularly regarding policy customization, hanging out on
> fedora-selinux-list, and getting my own systems working to my own
> satisfaction in enforcing mode.
>
> The online documentation is getting better, and a good place to start is
> probably: http://fedoraproject.org/wiki/SELinux
I'll have a look at those, and probably lurk the fedora-selinux-list for
awhile. You've been very helpful.
-Alan
