Paul Howarth írta:
Zoltan Boszormenyi wrote:
Paul Howarth írta:
Zoltan Boszormenyi wrote:
What puzzled me is starting postgresql failed at boot
but not the manual "service postgresql start" after bootup.
(Maybe different contexts are applied to the logged-in root
and the init program?)
Running the initscript should be exactly the same as the boot
process. Starting the service manually (without the initscript)
would be different though, as no domain transition would happen.
Both
service postgresql start
and
su - postgres
PGDATA=/home1/pgsql pg_ctl start
started successfully if I logged in as root or under "su -" from my
mortal uid.
(The postgresql initscript uses "runuser" instead of "su" IIRC.)
Do the AVCs logged during the boot process show the process running
as postgresql_t? If you do a "ps uaxZ", is it running as
postgresql_t or unconfined_t?
It's running under postgresql_t.
Does it run under postgresql_t if you start it using pg_ctl?
$ su -
# service postgresql stop
# su - postgres
$ PGDATA=/var/lib/pgsql/data pg_ctl start
postmaster starting
$ ps axuZ | grep post | grep -v bash | grep -v grep | grep -v "su -" |
grep -v "ps "
user_u:system_r:unconfined_t postgres 5171 0.5 0.3 92280 3808
pts/0 S 18:32 0:00 /usr/bin/postmaster
user_u:system_r:unconfined_t postgres 5174 0.0 0.1 81324 1056
pts/0 S 18:32 0:00 postgres: logger process
user_u:system_r:unconfined_t postgres 5176 0.0 0.1 92264 1152
pts/0 S 18:32 0:00 postgres: writer process
user_u:system_r:unconfined_t postgres 5177 0.0 0.1 82460 992
pts/0 S 18:32 0:00 postgres: stats buffer process
user_u:system_r:unconfined_t postgres 5178 0.0 0.1 81456 1196
pts/0 S 18:32 0:00 postgres: stats collector process
$ pg_ctl stop
$ logout
# service postgresql start
A(z) postgresql szolgáltatás elindítása: [ OK ]
[root@host-81-17-177-202 ~]# ps axuZ | grep post | grep -v bash | grep
-v grep | grep -v "su -" | grep -v "ps "
user_u:system_r:unconfined_t postgres 5307 9.5 0.3 92284 3808
? S 18:36 0:00 /usr/bin/postmaster -p 5432 -D
/var/lib/pgsql/data
user_u:system_r:unconfined_t postgres 5309 0.0 0.1 81328 1056
? S 18:36 0:00 postgres: logger process
user_u:system_r:unconfined_t postgres 5311 0.0 0.1 92268 1112
? S 18:36 0:00 postgres: writer process
user_u:system_r:unconfined_t postgres 5312 0.0 0.0 82464 920
? S 18:36 0:00 postgres: stats buffer process
user_u:system_r:unconfined_t postgres 5313 0.0 0.1 81460 1196
? S 18:36 0:00 postgres: stats collector process
Both times it's running under unconfined_t, so it doesn't matter
whether it's running under "su - postgres" or "runuser - postgres".
It seems what matters is that it's started from a logged in user:
# ps auxZ | grep bash
user_u:system_r:unconfined_t zozo 4979 0.0 0.1 59836 1708
pts/0 Ss 18:28 0:00 bash
user_u:system_r:unconfined_t root 5002 0.0 0.1 59840 1688
pts/0 S 18:28 0:00 -bash
I logged in through GDM if that's interesting, running "su - " in a
gnome-terminal.
I've just responded to another poster with almost exactly the same
issue. I think this might be worth a wiki page.
It would be a good idea.
I'll do that when the other poster's last issue (default file
contexts) is resolved.
Paul.
Best regards,
Zoltán Böszörményi