SELinux question

Paul Howarth paul at city-fan.org
Wed May 31 17:01:29 UTC 2006


Zoltan Boszormenyi wrote:
> Paul Howarth írta:
>> Zoltan Boszormenyi wrote:
>>> Paul Howarth írta:
>>>> Zoltan Boszormenyi wrote:
>>>>> What puzzled me is starting postgresql failed at boot
>>>>> but not the manual "service postgresql start" after bootup.
>>>>> (Maybe different contexts are applied to the logged-in root
>>>>> and the init program?)
>>>>
>>>> Running the initscript should be exactly the same as the boot 
>>>> process. Starting the service manually (without the initscript) 
>>>> would be different though, as no domain transition would happen.
>>>
>>> Both
>>>
>>> service postgresql start
>>>
>>> and
>>>
>>> su - postgres
>>> PGDATA=/home1/pgsql pg_ctl start
>>>
>>> started successfully if I logged in as root or under "su -" from my 
>>> mortal uid.
>>> (The postgresql initscript uses "runuser" instead of "su" IIRC.)
>>>
>>>> Do the AVCs logged during the boot process show the process running 
>>>> as postgresql_t? If you do a "ps uaxZ", is it running as 
>>>> postgresql_t or unconfined_t?
>>>
>>> It's running under postgresql_t.
>>
>> Does it run under postgresql_t if you start it using pg_ctl?
> 
> $ su -
> # service postgresql stop
> # su - postgres
> $ PGDATA=/var/lib/pgsql/data pg_ctl start
> postmaster starting
> $ ps axuZ | grep post | grep -v bash | grep -v grep | grep -v "su -" | 
> grep -v "ps "
> user_u:system_r:unconfined_t    postgres  5171  0.5  0.3  92280  3808 
> pts/0    S    18:32   0:00 /usr/bin/postmaster
> user_u:system_r:unconfined_t    postgres  5174  0.0  0.1  81324  1056 
> pts/0    S    18:32   0:00 postgres: logger process
> user_u:system_r:unconfined_t    postgres  5176  0.0  0.1  92264  1152 
> pts/0    S    18:32   0:00 postgres: writer process
> user_u:system_r:unconfined_t    postgres  5177  0.0  0.1  82460   992 
> pts/0    S    18:32   0:00 postgres: stats buffer process
> user_u:system_r:unconfined_t    postgres  5178  0.0  0.1  81456  1196 
> pts/0    S    18:32   0:00 postgres: stats collector process
> $ pg_ctl stop
> $ logout

That one's as I expected.

> # service postgresql start
> A(z) postgresql szolgáltatás elindítása:                   [  OK  ]
> [root at host-81-17-177-202 ~]# ps axuZ | grep post | grep -v bash | grep 
> -v grep | grep -v "su -" | grep -v "ps "
> user_u:system_r:unconfined_t    postgres  5307  9.5  0.3  92284  3808 
> ?        S    18:36   0:00 /usr/bin/postmaster -p 5432 -D 
> /var/lib/pgsql/data
> user_u:system_r:unconfined_t    postgres  5309  0.0  0.1  81328  1056 
> ?        S    18:36   0:00 postgres: logger process
> user_u:system_r:unconfined_t    postgres  5311  0.0  0.1  92268  1112 
> ?        S    18:36   0:00 postgres: writer process
> user_u:system_r:unconfined_t    postgres  5312  0.0  0.0  82464   920 
> ?        S    18:36   0:00 postgres: stats buffer process
> user_u:system_r:unconfined_t    postgres  5313  0.0  0.1  81460  1196 
> ?        S    18:36   0:00 postgres: stats collector process
> 
> Both times it's running under unconfined_t, so it doesn't matter
> whether it's running under "su - postgres" or "runuser - postgres".
> It seems what matters is that it's started from a logged in user:

I'd have expected this to run as postgresql_t

Is your postgresql initscript correctly labelled as initrc_exec_t?

What's the state of the postgresql_disable_trans boolean?
# getsebool postgresql_disable_trans

Paul.




More information about the fedora-list mailing list