please be so kind and modify all current and future postgresql ebuilds so that they contain IUSE="selinux" and RDEPEND="selinux? ( sec-policy/selinux-postgresql )" this is needed in order for your package to function normally in a SELinux environment.
fixed in CVS
I don't think postgresql works properly in SELinux environment by only adding the dependency . So, I've not added it so far. Does it work in your environment?
yes, I use it on a few production servers. the differences between our policy and the upstream one are minimal http://dev.gentoo.org/~kaiowas/patches/nsa_policy/selinux-postgresql.diff I just dodge a boolean and replace it with a tunable. what problem do you encounter when using it with selinux?
I couldn't create database using the ebuild. I couldn't start postgresql as postgres user. (It's working when I made database manually and started it as root user) I didn't have enough time to find out why. But it might cause there is no postgres user listed in shadow file. Do you have any idea? (I'm reopening this bug.)
please send me avc denies and the exact steps that you make if you start it using the init script (the only supported way), it works: passage root # /etc/init.d/postgresql start Authenticating prodan. Password: * Starting PostgreSQL... [ ok ] passage root # grep -i user /etc/conf.d/postgresql # Logfile path: (NOTE: This must be uid/gid owned by the value of $PGUSER!) # Run the PostgreSQL user as: PGUSER=postgres passage root # ps ax -ouser -ocommand |grep post postgres /usr/bin/postmaster -D /var/lib/postgresql/data postgres postgres: stats buffer process postgres postgres: stats collector process passage policy # cat /selinux/enforce 1passage policy # passage root # echo 0 > /selinux/enforce passage root # grep postgres /etc/shadow postgres:!:12479:0:99999:7:::
I don't have selinux environment at the momemnt. I will install it in a few weeks, so please wait.
I'm not sure what the issue is here. I'm using the policy on 3 enforcing servers. plus, the policy is not that different from the upstream version. see http://dev.gentoo.org/~kaiowas/patches/ for diffs. if anyone happens to find a problem with the policy, please open up a new bug report and assign it to selinux@gentoo.org or to me directly. closing
closing with FIXED