Postgres directory context

James Young jsyoung72 at gmail.com
Fri Jan 12 12:07:48 UTC 2007


Does selinux check context on the whole directory hierarchy when making a
decision about permission to enter a directory? That is, when I try to
access /home/Data/pgsql, will it check the context on /home, then
/home/Data, and then on /home/Data/pgsql? Or will it only check the context
on /home/Data/pgsql?

I want to put a Postgres database in a /home/Data/pgsql/data directory, but
the initrc script will not run it there. I can run it as the postgres user.
The contexts mirror the /var/lib/pgsql/data directory:
user_u:object_r:postgres_db_t. The context of /home/Data/pgsql is
system_u:object_r:var_lib_t.

It does run fine with initrc in /var/lib/pgsql. When I leave the
pgstartup.log in /var/lib/pgsql, I see the errors below. It doesn't matter
whether the database is already initialized or not. The contexts for the
/home/Data/pgsql directory are listed below as well. /home/Data is
system_u:object_r:user_home_dir_t.

I don't see anything in /var/log/audit/audit.log, but I think dontaudit
rules may  be in effect.

Does Fedora use the reference policy from Tresys exactly? If not, where can
I find the source policy for Fedora. All I can find are the if files.

Finally, are there any better references for selinux. Everything I've read
seems dated.

Thanks,
Jim Young

pgstartup.log:
-------------------------
could not change directory to "/home/Data/pgsql"
initdb: could not access directory "/home/Data/pgsql/data": Permission
denied
The files belonging to this database system will be owned by user
"postgres".
This user must also own the server process.

The database cluster will be initialized with locale en_US.UTF-8.
The default database encoding has accordingly been set to UTF8.

postmaster cannot access the server configuration file
"/home/Data/pgsql/data/postgresql.conf": Permission denied
could not change directory to "/home/Data/pgsql"
initdb: could not access directory "/home/Data/pgsql/data": Permission
denied
The files belonging to this database system will be owned by user
"postgres".
This user must also own the server process.

The database cluster will be initialized with locale en_US.UTF-8.
The default database encoding has accordingly been set to UTF8.

postmaster cannot access the server configuration file
"/home/Data/pgsql/data/postgresql.conf": Permission denied
-----------

directory contexts:
-------------------------------
ls -Zd /home/Data/pgsql
drwx------  postgres postgres system_u:object_r:var_lib_t
/home/Data/pgsql

ls -Z /home/Data/pgsql
drwx------  postgres postgres system_u:object_r:var_lib_t      backups
drwx------  postgres postgres system_u:object_r:postgresql_db_t data
-rw-------  postgres postgres system_u:object_r:postgresql_log_t
pgstartup.log

ls -Z /home/Data/pgsql/data
drwx------  postgres postgres user_u:object_r:postgresql_db_t  base
drwx------  postgres postgres user_u:object_r:postgresql_db_t  global
drwx------  postgres postgres user_u:object_r:postgresql_db_t  pg_clog
-rw-------  postgres postgres user_u:object_r:postgresql_db_t  pg_hba.conf
-rw-------  postgres postgres user_u:object_r:postgresql_db_t  pg_ident.conf
drwx------  postgres postgres user_u:object_r:postgresql_db_t  pg_log
drwx------  postgres postgres user_u:object_r:postgresql_db_t  pg_multixact
drwx------  postgres postgres user_u:object_r:postgresql_db_t  pg_subtrans
drwx------  postgres postgres user_u:object_r:postgresql_db_t  pg_tblspc
drwx------  postgres postgres user_u:object_r:postgresql_db_t  pg_twophase
-rw-------  postgres postgres user_u:object_r:postgresql_db_t  PG_VERSION
drwx------  postgres postgres user_u:object_r:postgresql_db_t  pg_xlog
-rw-------  postgres postgres user_u:object_r:postgresql_db_t
postgresql.conf
-rw-------  postgres postgres user_u:object_r:postgresql_db_t
postmaster.opts
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20070112/569b243e/attachment.htm>


More information about the fedora-selinux-list mailing list