• 1
Hello Dan,

Your site has helped me understand more about SELINUX than I ever did before, and I appreciate your generosity.

I've been using Fedora since Core 3 for servers, running Postgresql databases for a tcp application. Core 3 was pretty solid, and Core 4 was okay; however, Core 5 has been an uphill climb.

I installed Core 5 on a new machine with Postgresql, sendmail, PHP - straight from the Fedora Core 5 DVD. The install goes well. I take my dumped postgresql database from the Core 4 machine, import into the new database of the Core 5 (according to the instructions from the Fedora site), reboot, and Postgresql fails to launch on boot up. Yesterday, I followed your links about using audit2allow and semodule in an effort to fix it, but the problem would not go away.

Thinking I'd erred somehow, I started with a fresh install early this morning, restored the database, rebooted, and the same messages appear in /var/log/messages:
Apr 6 07:56:21 vsi kernel: audit(1144324578.867:2): avc: denied { append } for pid=1816 comm="hostname" name="pgstartup.log" dev=dm-0 ino=14534786 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:object_r:postgresql_log_t:s0 tclass=file
Apr 6 07:56:21 vsi kernel: audit(1144324579.263:3): avc: denied { search } for pid=1830 comm="postmaster" name="pgsql" dev=dm-0 ino=5466913 scontext=system_u:system_r:postgresql_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=dir

In my pgstartup log:
postmaster cannot access the server configuration file "/data/pgsql/postgresql.conf": Permission denied

I don't get it, because the permissions are correct. Is this a bug with the new SELINUX?

Postgres policy expects it data to be in /var/lib/pgsql/data

Which would be labeled system_u:object_r:postgresql_db_t.s0

You could either mount you /data at this point or do a

chcon -R -t postgresql_db_t /data

Then to make this permanent, IE survice a relabel, you need to change the local file context.

semanage fcontext -a -t postgresql_db_t "/data(/.*)?"

Thanks, Mr. Walsh!

That has solved my dilemma. There don't appear to be too many posts about this. I look forward to your book!

hi, i would like to know how to completely remove ALL file labels created by SELinux:
ive been encountering problems installing software on FC5 but works on RH9 & FC4!!

FC4 file label: system_u:object_r:etc_t
FC5 file label: system_u:object_r:etc_t:s0

on regular files these labels no longer exist.. im thinking this could be the source of my problems. some questions below:

1. would taking out all labels have any significant effect on the system?
2. how do i remove all labels on files and folders? (chcon syntax e.g. chcon -t label -h)
3. what does the s0 label mean (see above FC5 file label system).

* SElinux has been completely disabled on grub.conf and /etc/selinux/config

Re: SELinux labels

(Anonymous)
1. As far as I know labels are SELinux mechanism and you can't remove them. You can disable SELinux system itself and all security related mechanism will go away. I am not sure if you want to go that way though.

2. Again, you can not remove labels it is part of SELinux system. However, you can change them with whatever fits your security model.

3. Those are level of security, read Dan's earlier article.

multiple contexts

I have a file that needs to be read by both apache and sendmail. What can I do?

Re: multiple contexts

Simplest way would be to just add the allow rules to allow sendmail_t or system_mail_t to read httpd_sys_content_t.

grep sendmail /var/log/audit/audit.log | grep http | audit2allow -M mysendmail
semodule -i mysendmail.pp

Would allow all access that was requested by sendmail to look at apache content.

Multiple DB on a file system

Dan,

I want to put multiple databases (Postgres, MySQL, etc) on a file system as a test (/db/postgres/data /db/mysql/...) but with selinux and the above info I can only do one. How is it possible to put multiple db's on / when it's context is root_t? Is there something magical about root_t that can only be used on /? Are there group contexts that can contain other contexts, say a db_root_t that contains postgresql_db_t and mysql_db_t (or what ever it uses)?

Thanks!

Edward

Re: Multiple DB on a file system

No this is actually a simple labelling issue.

I would set this up with labeling /db as var_t and then each directory with its postgres and mysql labels.

# semanage fcontext -a -t var_t '/db(/.*)?'
# semanage fcontext -a -t postgresql_db_t '/db/postgresql(/.*)?'
# semanage fcontext -a -t mysql_db_t '/db/mysql(/.*)?'
# restorecon -R -v /db

Error setting value in selinux label

Hi,

Thank you for the good post.
I am getting an error when trying to modify the selinux context for a file

"chcon: can't apply partial context to unlabeled file `pre-commit'"

running the "ls -Z" command I understand why

-rwxr-x--x apache apache ? pre-commit

but don't know how this happened and I have no idea on how to fix it.

Can you please explain?


Re: Error setting value in selinux label

What is the chcon command you are using?

  • 1
?

Log in