SELinux question

Wed May 31 17:40:06 UTC 2006

Paul Howarth írta:
> Zoltan Boszormenyi wrote:
>> Paul Howarth írta:
>>> Zoltan Boszormenyi wrote:
>>>> Paul Howarth írta:
>>>>> Zoltan Boszormenyi wrote:
>>>>>> What puzzled me is starting postgresql failed at boot
>>>>>> but not the manual "service postgresql start" after bootup.
>>>>>> (Maybe different contexts are applied to the logged-in root
>>>>>> and the init program?)
>>>>>
>>>>> Running the initscript should be exactly the same as the boot 
>>>>> process. Starting the service manually (without the initscript) 
>>>>> would be different though, as no domain transition would happen.
>>>>
>>>> Both
>>>>
>>>> service postgresql start
>>>>
>>>> and
>>>>
>>>> su - postgres
>>>> PGDATA=/home1/pgsql pg_ctl start
>>>>
>>>> started successfully if I logged in as root or under "su -" from my 
>>>> mortal uid.
>>>> (The postgresql initscript uses "runuser" instead of "su" IIRC.)
>>>>
>>>>> Do the AVCs logged during the boot process show the process 
>>>>> running as postgresql_t? If you do a "ps uaxZ", is it running as 
>>>>> postgresql_t or unconfined_t?
>>>>
>>>> It's running under postgresql_t.
>>>
>>> Does it run under postgresql_t if you start it using pg_ctl?
>>
>> $ su -
>> # service postgresql stop
>> # su - postgres
>> $ PGDATA=/var/lib/pgsql/data pg_ctl start
>> postmaster starting
>> $ ps axuZ | grep post | grep -v bash | grep -v grep | grep -v "su -" 
>> | grep -v "ps "
>> user_u:system_r:unconfined_t    postgres  5171  0.5  0.3  92280  3808 
>> pts/0    S    18:32   0:00 /usr/bin/postmaster
>> user_u:system_r:unconfined_t    postgres  5174  0.0  0.1  81324  1056 
>> pts/0    S    18:32   0:00 postgres: logger process
>> user_u:system_r:unconfined_t    postgres  5176  0.0  0.1  92264  1152 
>> pts/0    S    18:32   0:00 postgres: writer process
>> user_u:system_r:unconfined_t    postgres  5177  0.0  0.1  82460   992 
>> pts/0    S    18:32   0:00 postgres: stats buffer process
>> user_u:system_r:unconfined_t    postgres  5178  0.0  0.1  81456  1196 
>> pts/0    S    18:32   0:00 postgres: stats collector process
>> $ pg_ctl stop
>> $ logout
>
> That one's as I expected.
>
>> # service postgresql start
>> A(z) postgresql szolgáltatás elindítása:                   [  OK  ]
>> [root at host-81-17-177-202 ~]# ps axuZ | grep post | grep -v bash | 
>> grep -v grep | grep -v "su -" | grep -v "ps "
>> user_u:system_r:unconfined_t    postgres  5307  9.5  0.3  92284  3808 
>> ?        S    18:36   0:00 /usr/bin/postmaster -p 5432 -D 
>> /var/lib/pgsql/data
>> user_u:system_r:unconfined_t    postgres  5309  0.0  0.1  81328  1056 
>> ?        S    18:36   0:00 postgres: logger process
>> user_u:system_r:unconfined_t    postgres  5311  0.0  0.1  92268  1112 
>> ?        S    18:36   0:00 postgres: writer process
>> user_u:system_r:unconfined_t    postgres  5312  0.0  0.0  82464   920 
>> ?        S    18:36   0:00 postgres: stats buffer process
>> user_u:system_r:unconfined_t    postgres  5313  0.0  0.1  81460  1196 
>> ?        S    18:36   0:00 postgres: stats collector process
>>
>> Both times it's running under unconfined_t, so it doesn't matter
>> whether it's running under "su - postgres" or "runuser - postgres".
>> It seems what matters is that it's started from a logged in user:
>
> I'd have expected this to run as postgresql_t
>
> Is your postgresql initscript correctly labelled as initrc_exec_t?

Unfortunately not:

# ls --context postgresql
-rwxr-xr-x  root     root     user_u:object_r:etc_t            postgresql

although other rc scripts are. Relabelled.

# service postgresql restart
A(z) postgresql szolgáltatás leállítása:                   [  OK  ]
A(z) postgresql szolgáltatás elindítása:                   [  OK  ]
# ps axuZ | grep post | grep -v bash | grep -v grep | grep -v "su -" | 
grep -v "ps "
user_u:system_r:postgresql_t    postgres 12617  1.2  0.3  92280  3808 
?        S    19:22   0:00 /usr/bin/postmaster -p 5432 -D 
/var/lib/pgsql/data
user_u:system_r:postgresql_t    postgres 12623  0.0  0.1  81324  1056 
?        S    19:22   0:00 postgres: logger process
user_u:system_r:postgresql_t    postgres 12625  0.0  0.1  92264  1148 
?        S    19:22   0:00 postgres: writer process
user_u:system_r:postgresql_t    postgres 12626  0.0  0.1  82460   992 
?        S    19:22   0:00 postgres: stats buffer process
user_u:system_r:postgresql_t    postgres 12627  0.0  0.1  81456  1196 
?        S    19:22   0:00 postgres: stats collector process

Now it is postgresql_t. It must have been "joe", the editor I used
for modifying the rc script. It renamed the original to postgresql~
and created a new file with the modified content. The new file
got some default policy from the directory it resides in.
Should I always use "vi" to edit such config files? It saves the
file in place. Or joe needs some fixup.

> What's the state of the postgresql_disable_trans boolean?
> # getsebool postgresql_disable_trans

# getsebool postgresql_disable_trans
postgresql_disable_trans --> off

Best regards,
Zoltán Böszörményi