Re: Postgres 9.3 and SELinux
От | Markus Nussdorfer |
---|---|
Тема | Re: Postgres 9.3 and SELinux |
Дата | |
Msg-id | CAGWNuK08-wHYptw1S1JgsMz_V51htArCQD4VEmJODyKj0hkABg@mail.gmail.com обсуждение исходный текст |
Ответ на | Re: Postgres 9.3 and SELinux (Devrim Gündüz <devrim@gunduz.org>) |
Список | pgsql-pkg-yum |
Hi
As we are also in the need to activate SELinux for Postgres, as must have it enabled on our machines this sounds like a great idea to finally get that topic started.# semanage fcontext -l|grep postgres
/etc/postgresql(/.*)? all files system_u:object_r:postgresql_etc_t:s0
/etc/rc\.d/init\.d/(se)?postgresql regular file system_u:object_r:postgresql_initrc_exec_t:s0
/etc/sysconfig/pgsql(/.*)? all files system_u:object_r:postgresql_etc_t:s0
/usr/bin/(se)?postgres regular file system_u:object_r:postgresql_exec_t:s0
/usr/bin/initdb(\.sepgsql)? regular file system_u:object_r:postgresql_exec_t:s0
/usr/lib(64)?/pgsql/test/regress(/.*)? all files system_u:object_r:postgresql_db_t:s0
/usr/lib(64)?/pgsql/test/regress/pg_regress regular file system_u:object_r:postgresql_exec_t:s0
/usr/lib(64)?/postgresql/bin/.* regular file system_u:object_r:postgresql_exec_t:s0
/usr/share/jonas/pgsql(/.*)? all files system_u:object_r:postgresql_db_t:s0
/var/lib/pgsql(/.*)? all files system_u:object_r:postgresql_db_t:s0
/var/lib/pgsql/data(/.*)? all files system_u:object_r:postgresql_db_t:s0
/var/lib/pgsql/logfile(/.*)? all files system_u:object_r:postgresql_log_t:s0
/var/lib/pgsql/pgstartup\.log.* all files system_u:object_r:postgresql_log_t:s0
/var/lib/postgres(ql)?(/.*)? all files system_u:object_r:postgresql_db_t:s0
/var/lib/sepgsql(/.*)? all files system_u:object_r:postgresql_db_t:s0
/var/lib/sepgsql/pgstartup\.log.* regular file system_u:object_r:postgresql_log_t:s0
/var/log/postgres\.log.* regular file system_u:object_r:postgresql_log_t:s0
/var/log/postgresql(/.*)? all files system_u:object_r:postgresql_log_t:s0
/var/log/rhdb/rhdb(/.*)? all files system_u:object_r:postgresql_log_t:s0
/var/log/sepostgresql\.log.* regular file system_u:object_r:postgresql_log_t:s0
/var/run/postgresql(/.*)? all files system_u:object_r:postgresql_var_run_t:s0
# getsebool -a|grep postgres
allow_user_postgresql_connect --> off
postgresql_can_rsync --> off
I haven't checked the transitions and possible other points affected.
like described under -> https://fedoraproject.org/wiki/SELinux_Policy_Modules_Packaging_Draft
On Mon, Jun 23, 2014 at 10:28 AM, Devrim Gündüz <devrim@gunduz.org> wrote:
Hi,I'm not surprised if there are more issues with SELinux, since my tests
On Wed, 2014-06-18 at 14:18 +0100, Nate wrote:
> I'm hope this is the right place to report. I had to make some changes
> to the file contexts in order to make Postgres 9.3 work in my
> environment (64-bit CentOS 6.5, SELinux)
never ever covered it, and I always disable SElinux :(That is correct. CentOS expects them to be under /usr/bin
> Below is the pertinent output of semanage -o -:
>
> fcontext -a -f 'all files' -t postgresql_initrc_exec_t
> '/etc/rc\.d/init\.d/postgresql-9.3'
> fcontext -a -f 'all files' -t postgresql_exec_t '/usr/pgsql-9.3/bin/postgres'
> fcontext -a -f 'all files' -t postgresql_db_t '/var/lib/pgsql/9.3/data(/.*)?'
> fcontext -a -f 'all files' -t postgresql_log_t
> '/var/lib/pgsql/9.3/pgstartup\.log.*'
>
> My understanding of SELinux is rudimentary, so I may have missed some
> necessary rules, but these are the minimum that made it work in my
> environment. I believe this stems from the YUM packages not installing
> Postgres in the locations CentOS expects?
and /var/lib/pgsql/data. Our RPMs install them into versioned directory.
I think we should add these to spec file, so that people won't have
these issues later on.
Objections? Jeff?
Regards,
--
Devrim GÜNDÜZ
Principal Systems Engineer @ EnterpriseDB: http://www.enterprisedb.com
PostgreSQL Danışmanı/Consultant, Red Hat Certified Engineer
Twitter: @DevrimGunduz , @DevrimGunduzTR
В списке pgsql-pkg-yum по дате отправления:
Предыдущее
От: Devrim GündüzДата:
Сообщение: Re: In Home page it showing NOY FOR PRODUCTION instead of NOT for production