Re: Postgres 9.3 and SELinux

Hi

As we are also in the need to activate SELinux for Postgres, as must have
it enabled on our machines this sounds like a great idea to finally get
that topic started.

Looking into the list of the fcontexts and booleans there might be more to
consider.

# semanage fcontext -l|grep postgres
/etc/postgresql(/.*)? all files
system_u:object_r:postgresql_etc_t:s0
/etc/rc\.d/init\.d/(se)?postgresql regular file
system_u:object_r:postgresql_initrc_exec_t:s0
/etc/sysconfig/pgsql(/.*)? all files
system_u:object_r:postgresql_etc_t:s0
/usr/bin/(se)?postgres regular file
system_u:object_r:postgresql_exec_t:s0
/usr/bin/initdb(\.sepgsql)? regular file
system_u:object_r:postgresql_exec_t:s0
/usr/lib(64)?/pgsql/test/regress(/.*)? all files
system_u:object_r:postgresql_db_t:s0
/usr/lib(64)?/pgsql/test/regress/pg_regress regular file
system_u:object_r:postgresql_exec_t:s0
/usr/lib(64)?/postgresql/bin/.* regular file
system_u:object_r:postgresql_exec_t:s0
/usr/share/jonas/pgsql(/.*)? all files
system_u:object_r:postgresql_db_t:s0
/var/lib/pgsql(/.*)? all files
system_u:object_r:postgresql_db_t:s0
/var/lib/pgsql/data(/.*)? all files
system_u:object_r:postgresql_db_t:s0
/var/lib/pgsql/logfile(/.*)? all files
system_u:object_r:postgresql_log_t:s0
/var/lib/pgsql/pgstartup\.log.* all files
system_u:object_r:postgresql_log_t:s0
/var/lib/postgres(ql)?(/.*)? all files
system_u:object_r:postgresql_db_t:s0
/var/lib/sepgsql(/.*)? all files
system_u:object_r:postgresql_db_t:s0
/var/lib/sepgsql/pgstartup\.log.* regular file
system_u:object_r:postgresql_log_t:s0
/var/log/postgres\.log.* regular file
system_u:object_r:postgresql_log_t:s0
/var/log/postgresql(/.*)? all files
system_u:object_r:postgresql_log_t:s0
/var/log/rhdb/rhdb(/.*)? all files
system_u:object_r:postgresql_log_t:s0
/var/log/sepostgresql\.log.* regular file
system_u:object_r:postgresql_log_t:s0
/var/run/postgresql(/.*)? all files
system_u:object_r:postgresql_var_run_t:s0

# getsebool -a|grep postgres
allow_user_postgresql_connect --> off
postgresql_can_rsync --> off

The last boolean actually keeps me from switching to enforcing :(

I haven't checked the transitions and possible other points affected.

It might be a good idea to create a separate sub package, as it keeps the
dependencies cleaner.
like described under ->
https://fedoraproject.org/wiki/SELinux_Policy_Modules_Packaging_Draft

As the whole topic is on my Tasklist for the near future anyways, i am
happy to help on that topic.

Cheers
Markus

On Mon, Jun 23, 2014 at 10:28 AM, Devrim Gündüz <devrim(at)gunduz(dot)org> wrote:

>
> Hi,
>
> On Wed, 2014-06-18 at 14:18 +0100, Nate wrote:
> > I'm hope this is the right place to report. I had to make some changes
> > to the file contexts in order to make Postgres 9.3 work in my
> > environment (64-bit CentOS 6.5, SELinux)
>
> I'm not surprised if there are more issues with SELinux, since my tests
> never ever covered it, and I always disable SElinux :(
>
> > Below is the pertinent output of semanage -o -:
> >
> > fcontext -a -f 'all files' -t postgresql_initrc_exec_t
> > '/etc/rc\.d/init\.d/postgresql-9.3'
> > fcontext -a -f 'all files' -t postgresql_exec_t
> '/usr/pgsql-9.3/bin/postgres'
> > fcontext -a -f 'all files' -t postgresql_db_t
> '/var/lib/pgsql/9.3/data(/.*)?'
> > fcontext -a -f 'all files' -t postgresql_log_t
> > '/var/lib/pgsql/9.3/pgstartup\.log.*'
> >
> > My understanding of SELinux is rudimentary, so I may have missed some
> > necessary rules, but these are the minimum that made it work in my
> > environment. I believe this stems from the YUM packages not installing
> > Postgres in the locations CentOS expects?
>
> That is correct. CentOS expects them to be under /usr/bin
> and /var/lib/pgsql/data. Our RPMs install them into versioned directory.
>
> I think we should add these to spec file, so that people won't have
> these issues later on.
>
> Objections? Jeff?
>
> Regards,
>
>
> --
> Devrim GÜNDÜZ
> Principal Systems Engineer @ EnterpriseDB: http://www.enterprisedb.com
> PostgreSQL Danışmanı/Consultant, Red Hat Certified Engineer
> Twitter: @DevrimGunduz , @DevrimGunduzTR
>
>