SELinux question

Tue May 30 16:40:10 UTC 2006

Zoltan Boszormenyi wrote:
> Paul Howarth írta:
>> You must have auditd running (probably a system upgraded from FC4 rather
>> than a clean FC5 install).
>>   
> 
> Actually, no. I was a clean install over my previous FC3.
> I installed and set auditd to run.

OK. I do this myself too, but most people don't...

>> Set yourself up for making local policy modules:
...
>> Make a local policy module for this issue, in this directory:
>> 1. Create a file postgres.te with this content:
>>
>> module postgres 0.1;
...
>>
>> 2. Create a file postgres.fc with this content:
>>
>> /home1/pgsql[^/]*/data(/.*)?
>> gen_context(system_u:object_r:postgresql_db_t,s0)
>>
>> /home1/pgsql[^/]*/pgstartup.log    --
>> gen_context(system_u:object_r:postgresql_log_t,s0)
>>
>> (that's two long lines)
...
>> Next, remove any file context objects you added for this issue using
>> semanage (contexts will now be managed using your local policy module):
>>
>> # semanage fcontext -d -t postgresql_db_t '/home1/pgsql/data(/.*)?'
>> # semanage fcontext -d -t postgresql_log_t '/home1/pgsql/pgstartup.log'
>> # semanage fcontext -d -t postgresql_db_t '/home1/pgsql2/data(/.*)?'
>>
>> Finally, install your new policy module:
>>
>> # semodule -i postgres.pp
>>   
> 
> Thanks, it almost worked. After doing these above,
> I still got avc denied { search } messages like this below:
> 
> type=AVC msg=audit(1148979521.381:10): avc:  denied  { search } for  
> pid=2666 comm="postmaster" name="/" dev=sda1 ino=2 
> scontext=system_u:system_r:postgresql_t:s0 
> tcontext=system_u:object_r:default_t:s0 tclass=dir
> 
> As it turned out, /home1 was default_t and postgresql is not enabled to 
> search
> and read files in default_t context. It made it working:
> 
> # semanage fcontext -a -t var_lib_t -f -d '/home1'
> # fixfiles relabel /home1

You can incorporate this into your local policy module by adding another 
line to postgres.fc:

/home1(/pgsql)? -d gen_context(system_u:object_r:var_lib_t,s0)

Bump the version number in postgres.te from 0.1 to 0.2 and re-run make.

You could then remove the extra fcontext object using semanage, and 
update the policy module:
# semodule -i postgres.pp

Having everything in the policy module is better for maintainability I 
think.

> What puzzled me is starting postgresql failed at boot
> but not the manual "service postgresql start" after bootup.
> (Maybe different contexts are applied to the logged-in root
> and the init program?)

Running the initscript should be exactly the same as the boot process. 
Starting the service manually (without the initscript) would be 
different though, as no domain transition would happen.

Do the AVCs logged during the boot process show the process running as 
postgresql_t? If you do a "ps uaxZ", is it running as postgresql_t or 
unconfined_t?

> The two lines above made it working again.

So it's working from bootup now?

>>>>>> An easier way is to bind mount /home/pgsql on /var/lib/pgsql etc. 
>>>>>> and do
>>>>>> a restorecon -R on the "new" /var/lib/pgsql. That achieves the same
>>>>>> effect without the symlink.
>>>>>>           
> 
> Actually I missed the "bind mount" part. That would have been much easier.
> But the crash course in SELinux was most fruitful, thank you.

I've just responded to another poster with almost exactly the same 
issue. I think this might be worth a wiki page.

> Sorry for the late answer, yesterday I donated my blood
> and had to hit the bed earlier that my usual.

No problem, we all have to sleep!

Cheers, Paul.