Postgres directory context

James Young jsyoung72 at gmail.com
Mon Jan 15 10:09:55 UTC 2007 

Sorry it took me so long to reply back. It's been a busy weekend.

Bind mounting worked. I actually changed /home/ to /Data and bind mounted
/home/ onto /Data/home and then created /Data/pgsql, changing the default
context to those of /var/lib/pgsql. That didn't work, even when I changed
/Data to system_u:object_r:var_t, /Data/pgsql to
system_u:object_r:var_lib_t, and /Data/pgsql/data to
system_u:object_r:postgresql_db_t. I thought maybe selinux only allowed
transition to var_lib_t from var_t, and then to postgres_db_t from
var_lib_t. Is that how it works with the directory hierarchy?

Anyway, I moved /var/lib/pgsql /var/lib/pgsql.bk, bind mounted /Data/pgsql/
to /var/lib/pgsql and remove /etc/sysconfig/pgsql/postgresql. That worked. I
just hope the developers don't see stuff like that as a security hole and
fix it.

Have they changed the wiki? It seems like they have more useful info in
there, than what I've found in the past. Then again, most of my visits to
the wiki were from Google links. Maybe I just needed to visit the home page.

Thanks for all your help.
Jim Young

On 1/12/07, Paul Howarth <paul at city-fan.org> wrote:
>
> James Young wrote:
> > Does selinux check context on the whole directory hierarchy when making
> a
> > decision about permission to enter a directory? That is, when I try to
> > access /home/Data/pgsql, will it check the context on /home, then
> > /home/Data, and then on /home/Data/pgsql? Or will it only check the
> context
> > on /home/Data/pgsql?
> >
> > I want to put a Postgres database in a /home/Data/pgsql/data directory,
> but
> > the initrc script will not run it there. I can run it as the postgres
> user.
> > The contexts mirror the /var/lib/pgsql/data directory:
> > user_u:object_r:postgres_db_t. The context of /home/Data/pgsql is
> > system_u:object_r:var_lib_t.
>
> The whole hierarchy must be readable. Putting server data under /home
> always causes problems. I'd suggest bind mounting /home/Data/pgsql to
> /var/lib/pgsql or something similar.
>
> You could change the context type of /home/Data to var_t but you'd
> probably still have issues with /home itself.
>
> > Does Fedora use the reference policy from Tresys exactly? If not, where
> can
> > I find the source policy for Fedora. All I can find are the if files.
>
> The selinux-policy SRPM.
>
> > Finally, are there any better references for selinux. Everything I've
> read
> > seems dated.
>
> http://fedoraproject.org/wiki/SELinux is a decent starting point.
>
> Paul.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20070115/6e898fdb/attachment.htm>

More information about the fedora-selinux-list mailing list