79747 – dev-db/postgresql needs RDEPEND on selinux

Bug 79747 - dev-db/postgresql needs RDEPEND on selinux

Summary: dev-db/postgresql needs RDEPEND on selinux

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All All

Importance:	High normal (vote)
Assignee:	PgSQL Bugs

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2005-01-27 09:49 UTC by petre rodan (RETIRED)
Modified:	2007-09-22 23:24 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description petre rodan (RETIRED) gentoo-dev

2005-01-27 09:49:09 UTC

please be so kind and modify all current and future postgresql ebuilds so that they contain

IUSE="selinux"

and

RDEPEND="selinux? ( sec-policy/selinux-postgresql )"

this is needed in order for your package to function normally in a SELinux environment.

Comment 1 petre rodan (RETIRED) gentoo-dev

2005-02-24 13:01:06 UTC

fixed in CVS

Comment 2 Masatomo Nakano (RETIRED) gentoo-dev

2005-02-24 13:44:06 UTC

I don't think postgresql works properly in SELinux environment by only adding the dependency . So, I've not added it so far.

Does it work in your environment?

Comment 3 petre rodan (RETIRED) gentoo-dev

2005-02-24 23:15:00 UTC

yes, I use it on a few production servers.

the differences between our policy and the upstream one are minimal
http://dev.gentoo.org/~kaiowas/patches/nsa_policy/selinux-postgresql.diff
I just dodge a boolean and replace it with a tunable.

what problem do you encounter when using it with selinux?

Comment 4 Masatomo Nakano (RETIRED) gentoo-dev

2005-02-25 08:01:44 UTC

I couldn't create database using the ebuild.
I couldn't start postgresql as postgres user.
(It's working when I made database manually and started it as root user)

I didn't have enough time to find out why.
But it might cause there is no postgres user listed in shadow file.

Do you have any idea?

(I'm reopening this bug.)

Comment 5 petre rodan (RETIRED) gentoo-dev

2005-02-25 08:40:56 UTC

please send me avc denies and the exact steps that you make

if you start it using the init script (the only supported way), it works:

passage root # /etc/init.d/postgresql start
Authenticating prodan.
Password: 
 * Starting PostgreSQL...                                                 [ ok ]
passage root # grep -i user /etc/conf.d/postgresql       
# Logfile path: (NOTE: This must be uid/gid owned by the value of $PGUSER!)
# Run the PostgreSQL user as:
PGUSER=postgres
passage root # ps ax -ouser -ocommand |grep post
postgres /usr/bin/postmaster -D /var/lib/postgresql/data
postgres postgres: stats buffer process                 
postgres postgres: stats collector process              
passage policy # cat /selinux/enforce 
1passage policy # 
passage root # echo 0 > /selinux/enforce
passage root # grep postgres /etc/shadow
postgres:!:12479:0:99999:7:::

Comment 6 Masatomo Nakano (RETIRED) gentoo-dev

2005-02-25 08:53:26 UTC

I don't have selinux environment at the momemnt.
I will install it in a few weeks, so please wait.

Comment 7 petre rodan (RETIRED) gentoo-dev

2005-11-29 03:28:22 UTC

I'm not sure what the issue is here.

I'm using the policy on 3 enforcing servers. plus, the policy is not that
different from the upstream version. see http://dev.gentoo.org/~kaiowas/patches/
for diffs.

if anyone happens to find a problem with the policy, please open up a new bug
report and assign it to selinux@gentoo.org or to me directly.

closing

Comment 8 petre rodan (RETIRED) gentoo-dev

2005-11-29 03:28:58 UTC

closing with FIXED