Trouble starting postgresql

Wed May 31 17:19:56 UTC 2006

Alan M. Evans wrote:
> On Tue, 2006-05-30 at 10:48, Paul Howarth wrote:
>> Alan M. Evans wrote:
>>> On Tue, 2006-05-30 at 09:10, Paul Howarth wrote:
>>> [ ... ]
>>>> If that's all you have, it shouldn't be difficult to fix.
>>>>
>>>> Set yourself up for making local policy modules:
>>>>
>>>> # yum install checkpolicy
>>>> # cd /root
>>>> # mkdir selinux.local
>>>> # cd selinux.local
>>>> # chcon -R -t usr_t .
>>>> # ln -s /usr/share/selinux/devel/Makefile .
>>>>
>>>> Make a local policy module for this issue, in this directory:
>>>>
>>>> 1. Create a file postgresql.te with this content:
>>>>
>>>> module postgresql 0.1;
>>>>
>>>> require {
>>>>          class dir search;
>>>>          class lnk_file read;
>>>>
>>>>          type home_root_t;
>>>>          type postgresql_t;
>>>>          type var_lib_t;
>>>> };
>>>>
>>>> # Allow postgresql to read /var/lib/pgsql -> /home/pgsql symlink
>>>> # if present
>>>> allow postgresql_t var_lib_t:lnk_file read;
>>>>
>>>> # Allow postgresql to search directory /home
>>>> allow postgresql_t home_root_t:dir search;
>>>>
>>>> 2. Create a file postgresql.fc with this content:
>>>>
>>>> /home/pgsql                     -d 
>>>> gen_context(system_u:object_r:var_lib_t,s0)
>>>> /home/pgsql/data(/.*)? 
>>>> gen_context(system_u:object_r:postgresql_db_t,s0)
>>>> /home/pgsql/pgstartup.log       -- 
>>>> gen_context(system_u:object_r:postgresql_log_t,s0)
>>>>
>>>> (that's three long lines)
>>>>
>>>> 3. Create an empty postgresql.if file:
>>>>
>>>> # touch postgresql.if
>>>>
>>>> 4. Build the policy module
>>>>
>>>> # make
>>>>
>>>> Install your new policy module:
>>>>
>>>> # semodule -i postgresql.pp
>>>>
>>>> Fix file contexts:
>>>>
>>>> # restorecon -Rv /home/pgsql
>>>>
>>>> Hopefully that should get you going in enforcing mode.
>>> Well, that restorecon set all the contexts back to user_home_t. Ugh.
>> Ugh indeed. My fix is incomplete. Can you post the output of:
>> # semanage fcontext -l | grep pgsql
> 
> Sure:
> 
> # semanage fcontext -l | grep pgsql
> /usr/lib/pgsql/test/regress/pg_regress             regular file      
> system_u:object_r:postgresql_exec_t:s0
> /var/lib/pgsql/data(/.*)?                          all files         
> system_u:object_r:postgresql_db_t:s0
> /home/pgsql/pgstartup.log                          regular file      
> system_u:object_r:postgresql_log_t:s0
> /var/lib/pgsql/pgstartup.log                       all files         
> system_u:object_r:postgresql_log_t:s0
> /usr/share/jonas/pgsql(/.*)?                       all files         
> system_u:object_r:postgresql_db_t:s0
> /home/pgsql                                        directory         
> system_u:object_r:var_lib_t:s0
> /home/pgsql/data(/.*)?                             all files         
> system_u:object_r:postgresql_db_t:s0
> /usr/lib/pgsql/test/regress/.*\.sh                 regular file      
> system_u:object_r:bin_t:s0
> /usr/lib/pgsql/test/regres(/.*)?                   all files         
> system_u:object_r:postgresql_db_t:s0
> 
>> I trust that /home/pgsql is not some user's home directory?
> 
> That is correct.

It appears that there is no easy fix for this problem, other than moving 
the data somewhere other than under /home:

http://www.redhat.com/archives/fedora-selinux-list/2006-May/msg00253.html

Paul.