Chris, please advise me how to overcome a small problem here. postgresql is started like this: start() { checkconfig || return 1 ebegin "Starting PostgreSQL" if [ -f $PGDATA/postmaster.pid ]; then rm $PGDATA/postmaster.pid fi su - $PGUSER -c "/usr/bin/pg_ctl start -D '$PGDATA' -s -l '$PGLOG' -o '$PGOPTS'" is there a documented way of using su - from initrc_t? I've tried with su_restricted_domain(initrc, system), but I got in a dark corner given by: security_compute_sid: invalid context system_u:system_r:initrc_su_t for scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:su_exec_t tclass=process avc: denied { read write } for pid=14418 exe=/bin/su path=/dev/pts/0 dev=00:06 ino=2 scontext=system_u:system_r:initrc_su_t tcontext=prodan:object_r:sysadm_devpts_t tclass=chr_file avc: denied { ioctl } for pid=14418 exe=/bin/su path=/dev/pts/0 dev=00:06 ino=2 scontext=system_u:system_r:initrc_su_t tcontext=prodan:object_r:sysadm_devpts_t tclass=chr_file avc: denied { search } for pid=14418 exe=/bin/su name=postgresql dev=08:08 ino=129451 scontext=system_u:system_r:initrc_su_t tcontext=system_u:object_r:postgresql_db_t tclass=dir avc: denied { sigchld } for pid=14418 exe=/bin/su scontext=system_u:system_r:postgresql_t tcontext=system_u:system_r:initrc_su_t tclass=process avc: denied { sigchld } for pid=14418 exe=/bin/su scontext=system_u:system_r:postgresql_t tcontext=system_u:system_r:initrc_su_t tclass=process tested with postgresql-7.4.x for a few weeks in a permissive environment.
Created attachment 30237 [details] file_contexts
Created attachment 30239 [details] type enforcement
I'm not sure about this one, I haven't done anything special with su. It seems like you might need this: role system_r types initrc_su_t;
Hello. I added this to the .te, for obvious reasons: # if postgresql is configured to dump through syslogd to /var/log/postgresql.log allow syslogd_t postgresql_log_t:file rw_file_perms; C-MoH
About the startup/shutdown of postgres... i've typed this at the bottom of the policy and it worked: su_restricted_domain(initrc, system) role system_r types initrc_su_t; allow initrc_su_t sysadm_devpts_t:chr_file { read write ioctl }; allow initrc_su_t postgresql_db_t:dir { search }; allow postgresql_t initrc_su_t:process sigchld; C-MoH
Created attachment 40311 [details] type enforcement the cvs version of selinux-base-policy has all ingredients needed for the init script to run su. if you have the currently stable policy you will have to add # # These rules are here to allow init scripts to su # ifdef(`su.te', ` su_restricted_domain(initrc,system) role system_r types initrc_su_t; ') allow initrc_t self:passwd rootok; to a cutom .te until the cvs version will be rolled to stable.
in cvs
