SELinux question

Paul Howarth paul at city-fan.org
Wed May 31 20:20:00 UTC 2006 

On Wed, 2006-05-31 at 19:40 +0200, Zoltan Boszormenyi wrote: 
> Paul Howarth írta:
> > Zoltan Boszormenyi wrote:
> >> Paul Howarth írta:
> >>> Zoltan Boszormenyi wrote:
> >>>> Paul Howarth írta:
> >>>>> Zoltan Boszormenyi wrote:
> >>>>>> What puzzled me is starting postgresql failed at boot
> >>>>>> but not the manual "service postgresql start" after bootup.
> >>>>>> (Maybe different contexts are applied to the logged-in root
> >>>>>> and the init program?)
> >>>>>
> >>>>> Running the initscript should be exactly the same as the boot 
> >>>>> process. Starting the service manually (without the initscript) 
> >>>>> would be different though, as no domain transition would happen.
> >>>>
> >>>> Both
> >>>>
> >>>> service postgresql start
> >>>>
> >>>> and
> >>>>
> >>>> su - postgres
> >>>> PGDATA=/home1/pgsql pg_ctl start
> >>>>
> >>>> started successfully if I logged in as root or under "su -" from my 
> >>>> mortal uid.
> >>>> (The postgresql initscript uses "runuser" instead of "su" IIRC.)
> >>>>
> >>>>> Do the AVCs logged during the boot process show the process 
> >>>>> running as postgresql_t? If you do a "ps uaxZ", is it running as 
> >>>>> postgresql_t or unconfined_t?
> >>>>
> >>>> It's running under postgresql_t.
> >>>
> >>> Does it run under postgresql_t if you start it using pg_ctl?
> >>
> >> $ su -
> >> # service postgresql stop
> >> # su - postgres
> >> $ PGDATA=/var/lib/pgsql/data pg_ctl start
> >> postmaster starting
> >> $ ps axuZ | grep post | grep -v bash | grep -v grep | grep -v "su -" 
> >> | grep -v "ps "
> >> user_u:system_r:unconfined_t    postgres  5171  0.5  0.3  92280  3808 
> >> pts/0    S    18:32   0:00 /usr/bin/postmaster
> >> user_u:system_r:unconfined_t    postgres  5174  0.0  0.1  81324  1056 
> >> pts/0    S    18:32   0:00 postgres: logger process
> >> user_u:system_r:unconfined_t    postgres  5176  0.0  0.1  92264  1152 
> >> pts/0    S    18:32   0:00 postgres: writer process
> >> user_u:system_r:unconfined_t    postgres  5177  0.0  0.1  82460   992 
> >> pts/0    S    18:32   0:00 postgres: stats buffer process
> >> user_u:system_r:unconfined_t    postgres  5178  0.0  0.1  81456  1196 
> >> pts/0    S    18:32   0:00 postgres: stats collector process
> >> $ pg_ctl stop
> >> $ logout
> >
> > That one's as I expected.
> >
> >> # service postgresql start
> >> A(z) postgresql szolgáltatás elindítása:                   [  OK  ]
> >> [root at host-81-17-177-202 ~]# ps axuZ | grep post | grep -v bash | 
> >> grep -v grep | grep -v "su -" | grep -v "ps "
> >> user_u:system_r:unconfined_t    postgres  5307  9.5  0.3  92284  3808 
> >> ?        S    18:36   0:00 /usr/bin/postmaster -p 5432 -D 
> >> /var/lib/pgsql/data
> >> user_u:system_r:unconfined_t    postgres  5309  0.0  0.1  81328  1056 
> >> ?        S    18:36   0:00 postgres: logger process
> >> user_u:system_r:unconfined_t    postgres  5311  0.0  0.1  92268  1112 
> >> ?        S    18:36   0:00 postgres: writer process
> >> user_u:system_r:unconfined_t    postgres  5312  0.0  0.0  82464   920 
> >> ?        S    18:36   0:00 postgres: stats buffer process
> >> user_u:system_r:unconfined_t    postgres  5313  0.0  0.1  81460  1196 
> >> ?        S    18:36   0:00 postgres: stats collector process
> >>
> >> Both times it's running under unconfined_t, so it doesn't matter
> >> whether it's running under "su - postgres" or "runuser - postgres".
> >> It seems what matters is that it's started from a logged in user:
> >
> > I'd have expected this to run as postgresql_t
> >
> > Is your postgresql initscript correctly labelled as initrc_exec_t?
> 
> Unfortunately not:
> 
> # ls --context postgresql
> -rwxr-xr-x  root     root     user_u:object_r:etc_t            postgresql
> 
> although other rc scripts are. Relabelled.

That explains the failure to transition to the postgresql_t domain then.

> # service postgresql restart
> A(z) postgresql szolgáltatás leállítása:                   [  OK  ]
> A(z) postgresql szolgáltatás elindítása:                   [  OK  ]
> # ps axuZ | grep post | grep -v bash | grep -v grep | grep -v "su -" | 
> grep -v "ps "
> user_u:system_r:postgresql_t    postgres 12617  1.2  0.3  92280  3808 
> ?        S    19:22   0:00 /usr/bin/postmaster -p 5432 -D 
> /var/lib/pgsql/data
> user_u:system_r:postgresql_t    postgres 12623  0.0  0.1  81324  1056 
> ?        S    19:22   0:00 postgres: logger process
> user_u:system_r:postgresql_t    postgres 12625  0.0  0.1  92264  1148 
> ?        S    19:22   0:00 postgres: writer process
> user_u:system_r:postgresql_t    postgres 12626  0.0  0.1  82460   992 
> ?        S    19:22   0:00 postgres: stats buffer process
> user_u:system_r:postgresql_t    postgres 12627  0.0  0.1  81456  1196 
> ?        S    19:22   0:00 postgres: stats collector process
> 
> Now it is postgresql_t.

Good.

> It must have been "joe", the editor I used
> for modifying the rc script. It renamed the original to postgresql~
> and created a new file with the modified content. The new file
> got some default policy from the directory it resides in.
> Should I always use "vi" to edit such config files? It saves the
> file in place. Or joe needs some fixup.

Well initscripts aren't really config files and I don't think they
should be edited at all. If they need to provide configurability, it
should be done by editing something under /etc/sysconfig, e.g. by
setting a PGDATA variable in (say) /etc/sysconfig/postgresql (I don't
know if the postgresql initscript has such a facility though). The file
under /etc/sysconfig can be sourced by the initscript to get the config
info.

Having said that, I believe vi will edit the file in place by default.
It's what I use for most of my editing tasks anyway.

> > What's the state of the postgresql_disable_trans boolean?
> > # getsebool postgresql_disable_trans
> 
> # getsebool postgresql_disable_trans
> postgresql_disable_trans --> off

That was the other possible cause of the transition failure.

Paul.

More information about the fedora-list mailing list