Does selinux check context on the whole directory hierarchy when making a
decision about permission to enter a directory? That is, when I try to
access /home/Data/pgsql, will it check the context on /home, then
/home/Data, and then on /home/Data/pgsql? Or will it only check the context
on /home/Data/pgsql?
I want to put a Postgres database in a /home/Data/pgsql/data directory, but
the initrc script will not run it there. I can run it as the postgres user.
The contexts mirror the /var/lib/pgsql/data directory:
user_u:object_r:postgres_db_t. The context of /home/Data/pgsql is
system_u:object_r:var_lib_t.
It does run fine with initrc in /var/lib/pgsql. When I leave the
pgstartup.log in /var/lib/pgsql, I see the errors below. It doesn't matter
whether the database is already initialized or not. The contexts for the
/home/Data/pgsql directory are listed below as well. /home/Data is
system_u:object_r:user_home_dir_t.
I don't see anything in /var/log/audit/audit.log, but I think dontaudit
rules may be in effect.
Does Fedora use the reference policy from Tresys exactly? If not, where can
I find the source policy for Fedora. All I can find are the if files.
Finally, are there any better references for selinux. Everything I've read
seems dated.
Thanks,
Jim Young
pgstartup.log:
-------------------------
could not change directory to "/home/Data/pgsql"
initdb: could not access directory "/home/Data/pgsql/data": Permission
denied
The files belonging to this database system will be owned by user
"postgres".
This user must also own the server process.
The database cluster will be initialized with locale en_US.UTF-8.
The default database encoding has accordingly been set to UTF8.
postmaster cannot access the server configuration file
"/home/Data/pgsql/data/postgresql.conf": Permission denied
could not change directory to "/home/Data/pgsql"
initdb: could not access directory "/home/Data/pgsql/data": Permission
denied
The files belonging to this database system will be owned by user
"postgres".
This user must also own the server process.
The database cluster will be initialized with locale en_US.UTF-8.
The default database encoding has accordingly been set to UTF8.
postmaster cannot access the server configuration file
"/home/Data/pgsql/data/postgresql.conf": Permission denied
-----------
directory contexts:
-------------------------------
ls -Zd /home/Data/pgsql
drwx------ postgres postgres system_u:object_r:var_lib_t
/home/Data/pgsql
ls -Z /home/Data/pgsql
drwx------ postgres postgres system_u:object_r:var_lib_t backups
drwx------ postgres postgres system_u:object_r:postgresql_db_t data
-rw------- postgres postgres system_u:object_r:postgresql_log_t
pgstartup.log
ls -Z /home/Data/pgsql/data
drwx------ postgres postgres user_u:object_r:postgresql_db_t base
drwx------ postgres postgres user_u:object_r:postgresql_db_t global
drwx------ postgres postgres user_u:object_r:postgresql_db_t pg_clog
-rw------- postgres postgres user_u:object_r:postgresql_db_t pg_hba.conf
-rw------- postgres postgres user_u:object_r:postgresql_db_t pg_ident.conf
drwx------ postgres postgres user_u:object_r:postgresql_db_t pg_log
drwx------ postgres postgres user_u:object_r:postgresql_db_t pg_multixact
drwx------ postgres postgres user_u:object_r:postgresql_db_t pg_subtrans
drwx------ postgres postgres user_u:object_r:postgresql_db_t pg_tblspc
drwx------ postgres postgres user_u:object_r:postgresql_db_t pg_twophase
-rw------- postgres postgres user_u:object_r:postgresql_db_t PG_VERSION
drwx------ postgres postgres user_u:object_r:postgresql_db_t pg_xlog
-rw------- postgres postgres user_u:object_r:postgresql_db_t
postgresql.conf
-rw------- postgres postgres user_u:object_r:postgresql_db_t
postmaster.opts