LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 01-29-2013, 02:14 PM   #1
Jaceppe6
LQ Newbie
 
Registered: Aug 2010
Posts: 2

Rep: Reputation: 1
SELinux and postgres


Hi all,

I am having trouble with SELinux and postgresql. I running Fedora 17 (Beefy Miracle) and PostgreSQL 9.1.6. For my system I am required to remove the 'postgres' user as being the owner of all the DB files as well as the DB superuser. I have created [anotheruser] and have been able to accomplish most of that by making modifications to postgresql.conf (et.al.) I can get that modified service to start by:

'systemctl enable [another].service'

Which starts up the postgres server processes as [anotheruser] and pointing to the directory I specified when I ran 'initdb' as [anotheruser] rather than the default of /var/lib/pgsql ...


However, one of the standard places postgres wants to create sockets for local unix connections is in '/var/run/postgresql'. In my modifications above I had postgresql.conf point to [another/socket/dir] rather than the default. This works... except for SELinux. Applications like pgadmin and psql and ruby/rails attempt to connect to the postgresql server at the default location and NOT the one I specify in postgresql.conf. I can make a symbolic link:

ln -s [another/socket/dir] /var/run/postgresql

and this will allow those apps to connect properly <-- however, this link does not survive a reboot due to SELinux policy <-- at reboot the policy keeps changing the directory back to:

ls -altdZ /var/run/postgresql
[result]
drwxr-xr-x. postgres postgres system_ubject_rostgresql_var_run_t:s0 /var/run/postgresql

...so, my link to [another/socket/dir] gets crushed each reboot. I am completely green with SELinux policy and am struggling with selinux commands like "semanage fcontext" and "semodule" and so on and simply am lost at how to eliminate this policy (or modify it) so that SELinux leaves the /var/run/postgresql directory alone.

Any hints as to the proper direction are appreciated.

Thanks

James White
 
Old 01-29-2013, 04:39 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,953
Blog Entries: 54

Rep: Reputation: 2733Reputation: 2733Reputation: 2733Reputation: 2733Reputation: 2733Reputation: 2733Reputation: 2733Reputation: 2733Reputation: 2733Reputation: 2733Reputation: 2733
If it's SELinux then you should be able to show us relevant audit.log output. Then again SELinux doesn't "change things" on its own, for example if contexts change then it'll be the restorecon service which makes the changes. IIRC /var/run is a tmpfs these days so anything that populates it (or doesn't) picks up (or should) changes on boot or runlevel change (sorry, that's "target change"). So my first thought would be it's related to systemd and getting it to display debug output could verify that. Listing the actual changes you made could provide people with more details BTW.
 
1 members found this post helpful.
Old 01-30-2013, 07:39 PM   #3
Jaceppe6
LQ Newbie
 
Registered: Aug 2010
Posts: 2

Original Poster
Rep: Reputation: 1
selinux postgres solved (was actually systemd-tmpfiles)

unSpawn,

Thank you for your response; and you were correct on your 1st thought... it was systemd. After reading your post I did some more searching around and found /etc/systemd/system.conf and set LogLevel=debug. Then, on reboot looked in journalctl and saw "About to execute systemd-tmpfiles -create -delete" and followed the bread crumbs til I found /usr/lib/tmpfiles.d. One of the .conf files in that dir was specifying /var/run/postgresql to be created afresh on reboot. I think what got me erroneously looking at selinux was that I saw an fcontext for "/var/run/postgresql(/.*)?" when I used the semanage command to list fcontexts, and, since I am so green on selinux went the wrong way in my investigation. Thanks again for your help...

James White
 
1 members found this post helpful.
Old 01-31-2013, 11:05 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,953
Blog Entries: 54

Rep: Reputation: 2733Reputation: 2733Reputation: 2733Reputation: 2733Reputation: 2733Reputation: 2733Reputation: 2733Reputation: 2733Reputation: 2733Reputation: 2733Reputation: 2733
Likewise thanks for posting your solution!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Implementing SeLinux on Debian 5 (Lenny) -- can't install "selinux-basics" bashFUL Linux - Security 3 10-17-2011 01:16 AM
SELinux errors, SELinux and wine ziphem Linux - Security 10 01-27-2011 04:15 PM
Selinux-how do i find out what domains have permissions on what type?(selinux policy) vishyc88 Linux - Security 2 11-22-2010 04:27 AM
"../system.h :selinux/selinux.h:no such file or directory" ashmita04 Linux From Scratch 4 02-05-2009 03:36 AM
Changes in postgres without restarting postgres venki Linux - General 3 07-19-2007 01:06 AM


All times are GMT -5. The time now is 04:41 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration