-   Linux - Security (
-   -   SELinux and postgres (

Jaceppe6 01-29-2013 03:14 PM

SELinux and postgres
Hi all,

I am having trouble with SELinux and postgresql. I running Fedora 17 (Beefy Miracle) and PostgreSQL 9.1.6. For my system I am required to remove the 'postgres' user as being the owner of all the DB files as well as the DB superuser. I have created [anotheruser] and have been able to accomplish most of that by making modifications to postgresql.conf ( I can get that modified service to start by:

'systemctl enable [another].service'

Which starts up the postgres server processes as [anotheruser] and pointing to the directory I specified when I ran 'initdb' as [anotheruser] rather than the default of /var/lib/pgsql ...

However, one of the standard places postgres wants to create sockets for local unix connections is in '/var/run/postgresql'. In my modifications above I had postgresql.conf point to [another/socket/dir] rather than the default. This works... except for SELinux. Applications like pgadmin and psql and ruby/rails attempt to connect to the postgresql server at the default location and NOT the one I specify in postgresql.conf. I can make a symbolic link:

ln -s [another/socket/dir] /var/run/postgresql

and this will allow those apps to connect properly <-- however, this link does not survive a reboot due to SELinux policy <-- at reboot the policy keeps changing the directory back to:

ls -altdZ /var/run/postgresql
drwxr-xr-x. postgres postgres system_u:object_r:postgresql_var_run_t:s0 /var/run/postgresql, my link to [another/socket/dir] gets crushed each reboot. I am completely green with SELinux policy and am struggling with selinux commands like "semanage fcontext" and "semodule" and so on and simply am lost at how to eliminate this policy (or modify it) so that SELinux leaves the /var/run/postgresql directory alone.

Any hints as to the proper direction are appreciated.


James White

unSpawn 01-29-2013 05:39 PM

If it's SELinux then you should be able to show us relevant audit.log output. Then again SELinux doesn't "change things" on its own, for example if contexts change then it'll be the restorecon service which makes the changes. IIRC /var/run is a tmpfs these days so anything that populates it (or doesn't) picks up (or should) changes on boot or runlevel change (sorry, that's "target change"). So my first thought would be it's related to systemd and getting it to display debug output could verify that. Listing the actual changes you made could provide people with more details BTW.

Jaceppe6 01-30-2013 08:39 PM

selinux postgres solved (was actually systemd-tmpfiles)

Thank you for your response; and you were correct on your 1st thought... it was systemd. After reading your post I did some more searching around and found /etc/systemd/system.conf and set LogLevel=debug. Then, on reboot looked in journalctl and saw "About to execute systemd-tmpfiles -create -delete" and followed the bread crumbs til I found /usr/lib/tmpfiles.d. One of the .conf files in that dir was specifying /var/run/postgresql to be created afresh on reboot. I think what got me erroneously looking at selinux was that I saw an fcontext for "/var/run/postgresql(/.*)?" when I used the semanage command to list fcontexts, and, since I am so green on selinux went the wrong way in my investigation. Thanks again for your help...

James White

unSpawn 01-31-2013 12:05 PM

Likewise thanks for posting your solution!

All times are GMT -5. The time now is 08:09 AM.