Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   CentOS (http://www.linux-archive.org/centos/)
-   -   postgresql copy to and selinux (http://www.linux-archive.org/centos/403386-postgresql-copy-selinux.html)

Marcelo Roccasalva 07-23-2010 08:50 PM

postgresql copy to and selinux
 
I need to run a "copy table to '/home/user/dir/copy.txt';" but I get
permission denied. Filesystem dir modes are ok and I get no event
logged in audit.log, but if I setenforce 0, I can do the copy. This
explains auditd silence:

# sesearch --audit |egrep postgres.*home
dontaudit postgresql_t user_home_dir_t : dir { getattr search };
dontaudit postgresql_t home_root_t : dir { getattr search };

I changed the "dir" type to tmpfs_t and I could write with "copy" but
not with "copy".

Anyway, what are the best practices to allow postgresql "copy to" a
subdirectory of a home directory (without disabling selinux)? I'm
running centos 5.5.

--
Marcelo

"¿No será acaso que ésta vida moderna está teniendo más de moderna que
de vida?" (Mafalda)
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Gordon Messmer 07-25-2010 05:09 PM

postgresql copy to and selinux
 
On 07/23/2010 01:50 PM, Marcelo Roccasalva wrote:
> Anyway, what are the best practices to allow postgresql "copy to" a
> subdirectory of a home directory (without disabling selinux)? I'm
> running centos 5.5.

The first thing you'll want to do is enable auditing. One of the items
in Fedora's SELinux FAQ
(http://docs.fedoraproject.org/en-US/Fedora/13/html/SELinux_FAQ/)
indicates that you'd do so with:
# semodule -b /usr/share/selinux/targeted/enableaudit.pp

Once auditing is enabled, make sure SELinux is in permissive mode.
Start watching the audit log for your denial messages:
# tail -f /var/log/audit/audit.log

Ask the SQL server to "copy to" a denied location again. When it
completes, use Ctrl+C to cancel the log "tail" and then re-enable the
standard "dontaudit" rules:
# semodule -b /usr/share/selinux/targeted/base.pp

Now that you have the audit logs that correspond to the denial which
you'd like to reverse, you can create a new module to allow that
access. Use "audit2allow" to create the module. You can name the
module whatever you like. Paste the lines from audit.log which
correspond to the access you'd like to allow. When finished, use Ctrl+D
to indicate the end of input:
# audit2allow -M allowPostToHome
> paste logs
> Ctrl+D

audit2allow will create a module source file called allowPostToHome.te
and then compile it to a file called allowPostToHome.pp. It will
indicate that you need to load the module file with semodule, which
you'll need to do:
# semodule -i allowPostToHome.pp

After that, PostgreSQL should be able to perform the action which was
previously denied, but still retains other aspects of its SELinux
configuration. Once the module is loaded, the policy has been changed.
semodule will also copy the module file to a location where it will be
loaded on future system boots so that it remains active.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


All times are GMT. The time now is 08:47 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.