Tuesday, September 30, 2008
SELinux - dealing with exceptions
So we're seeing errors in our /var/log/messages like:
Sep 28 03:52:51 fvs-pri setroubleshoot: SELinux is preventing freshclam (freshclam_t) "read" to ./main.cld (var_t). For complete SEL
inux messages. run sealert -l 10ce7bfb-6c44-473e-94a1-4691c04d2bef
Sep 28 03:52:51 fvs-pri setroubleshoot: SELinux is preventing freshclam (freshclam_t) "write" to ./clamav (var_t). For complete SELi
nux messages. run sealert -l 276efeb4-6990-497f-bcf0-6df0327c6f52
It's fairly easy to write exceptions, using audit2allow.
For example:
# cd /usr/share/selinux/devel/
# egrep "(clam)" /var/log/audit/audit.log /var/log/audit/audit.log.1 | audit2allow -M clam20081230
# /usr/sbin/semodule -i clam20080930.pp
Note: This is the very quick and dirty way of dealing with exceptions - it really doesn't fix the underlying issue.
Sep 28 03:52:51 fvs-pri setroubleshoot: SELinux is preventing freshclam (freshclam_t) "read" to ./main.cld (var_t). For complete SEL
inux messages. run sealert -l 10ce7bfb-6c44-473e-94a1-4691c04d2bef
Sep 28 03:52:51 fvs-pri setroubleshoot: SELinux is preventing freshclam (freshclam_t) "write" to ./clamav (var_t). For complete SELi
nux messages. run sealert -l 276efeb4-6990-497f-bcf0-6df0327c6f52
It's fairly easy to write exceptions, using audit2allow.
For example:
# cd /usr/share/selinux/devel/
# egrep "(clam)" /var/log/audit/audit.log /var/log/audit/audit.log.1 | audit2allow -M clam20081230
# /usr/sbin/semodule -i clam20080930.pp
Note: This is the very quick and dirty way of dealing with exceptions - it really doesn't fix the underlying issue.
Labels: SELinux
Monday, March 10, 2008
Postgresql 8.1 under a nondefault directory with SELinux
So I like to keep my PostgreSQL install in a non-standard location. Normally, this is as easy as setting PGDATA= in the /etc/sysconfig/pgsql/postgresql file. But when SELinux is installed, you also have to deal with system context issues.
One symptom of this is that /etc/init.d/postgresql start will fail, but starting the database interactively using the "su postgres" and pg_ctl commands will work. This is because SELinux is a lot stricter with programs started in the startup scripts vs programs that are started from an interactive shell.
If you dig through the pgsql-general mail archives, you'll find a thread titled "[GENERAL] Using an alternate PGDATA on RHEL4 with SELinux enabled" from July 2006. Unfortunately, nobody posted the answer for how to work around this issue and the original poster merely disabled SELinux. Tom Lane in particular says:
The default selinux policy prevents postgres from writing anywhere except under /var/lib/pgsql. If you want a nondefault PGDATA location then you have to tweak the policy.
However, I've stumbled across this "Just Someone Re: SELinux + CREATE TABLESPACE = ?" which gives some insights into the issue. It was also posted to the pgsql-general mailing list, but about a week later. I quote "Just Someone":
If you rather keep SELinux on, you can still set the SELinux context
on the directory where you want the tablespaces to one postgres will
like.
To find what is the permissions you need, you can use ls -Z. It will
list the SELinux context. Check /var/lib/pgsql/data (or wherever
postgres data is pointing to), and then set this same permission on
the target dir using chcon.
For example, on my FC4 system all subdirectories on the data directory have:
root:object_r:postgresql_db_t or user_u:object_r:postgresql_db_t
So if you want to chage /path/to/foo/which/is/not/under/pgdata, run
(as root or sudo):
chcon root:object_r:postgresql_db_t /path/to/foo/which/is/not/under/pgdata
This way postgres can access it, and you get the SELinux security.
Bye,
Guy.
So basically, we need to look at the context of the existing /var/lib/pgsql folder and then make our new directories to match that. We'll start by looking at /var/lib/pgsql:
Let's compare this to our new location:
Yeah, that's definitely not correct. So let's fix it:
Which now matches exactly what we saw for /var/lib/pgsql. Now we need to do the same thing for the contents of /var/pgsql as compared to /var/lib/pgsql.
As compared to:
Once again, things need to be fixed up.
Which looks correct. At least our ownership, file attributes and file context all match the original. Note that I left the context of some things as system_u:object_r:var_t instead of system_u:object_r:var_lib_t.
Now for the hard part, we have to look at ALL of the subdirectory contents under /var/lib/pgsql and match them up in the new location:
Keep that list open in a text editor, or something else because you'll need to refer to it frequently. We can fix most of it by making everything set to context "user_u:object_r:postgresql_db_t" to start. Which is a brute-force approach.
$ chcon -R user_u:object_r:postgresql_db_t *
Now we can go and start fixing things that should not be that particular context. Now, it's quite probable that this is overkill, but I believe in being thorough.
At this point, your postgresql data directory SHOULD be configured correctly. (No guarantees!) So now you can restart postgresql (/etc/init.d/postgresql start) and it will work properly in the new location.
Notes:
- Tested on CentOS 5 (or CentOS 5.1), it should also work on RedHat Linux.
- If you ever re-tag the entire filesystem with SELinux, you will (probably) have to go back and re-tag your postgresql data directory.
- Because of the above note, it may be better to mount the LVM or SAN partition for PostgreSQL at the default location of /var/lib/pgsql instead of forcing it into another location. On the other hand, as long as you know how to fix it and don't re-tag indiscriminately, SELinux should never get in the way again.
One symptom of this is that /etc/init.d/postgresql start will fail, but starting the database interactively using the "su postgres" and pg_ctl commands will work. This is because SELinux is a lot stricter with programs started in the startup scripts vs programs that are started from an interactive shell.
If you dig through the pgsql-general mail archives, you'll find a thread titled "[GENERAL] Using an alternate PGDATA on RHEL4 with SELinux enabled" from July 2006. Unfortunately, nobody posted the answer for how to work around this issue and the original poster merely disabled SELinux. Tom Lane in particular says:
The default selinux policy prevents postgres from writing anywhere except under /var/lib/pgsql. If you want a nondefault PGDATA location then you have to tweak the policy.
However, I've stumbled across this "Just Someone Re: SELinux + CREATE TABLESPACE = ?" which gives some insights into the issue. It was also posted to the pgsql-general mailing list, but about a week later. I quote "Just Someone":
If you rather keep SELinux on, you can still set the SELinux context
on the directory where you want the tablespaces to one postgres will
like.
To find what is the permissions you need, you can use ls -Z. It will
list the SELinux context. Check /var/lib/pgsql/data (or wherever
postgres data is pointing to), and then set this same permission on
the target dir using chcon.
For example, on my FC4 system all subdirectories on the data directory have:
root:object_r:postgresql_db_t or user_u:object_r:postgresql_db_t
So if you want to chage /path/to/foo/which/is/not/under/pgdata, run
(as root or sudo):
chcon root:object_r:postgresql_db_t /path/to/foo/which/is/not/under/pgdata
This way postgres can access it, and you get the SELinux security.
Bye,
Guy.
So basically, we need to look at the context of the existing /var/lib/pgsql folder and then make our new directories to match that. We'll start by looking at /var/lib/pgsql:
# ls -Z /var/lib/
drwx------ postgres postgres system_u:object_r:var_lib_t pgsql
Let's compare this to our new location:
# ls -Z /var/
drwxr-xr-x root root system_u:object_r:file_t pgsql
Yeah, that's definitely not correct. So let's fix it:
# chown postgres:postgres /var/pgsql
# chmod 700 /var/pgsql
# chcon system_u:object_r:var_t /var/pgsql
# ls -Z /var/
drwx------ postgres postgres system_u:object_r:var_lib_t pgsql
Which now matches exactly what we saw for /var/lib/pgsql. Now we need to do the same thing for the contents of /var/pgsql as compared to /var/lib/pgsql.
# ls -Z /var/lib/pgsql
drwx------ postgres postgres system_u:object_r:var_lib_t backups
drwx------ postgres postgres system_u:object_r:postgresql_db_t data
-rw------- postgres postgres system_u:object_r:postgresql_log_t pgstartup.log
As compared to:
# ls -Z /var/pgsql
drwx------ postgres postgres user_u:object_r:var_log_t data
drwx------ root root system_u:object_r:file_t lost+found
Once again, things need to be fixed up.
# su postgres
$ mkdir /var/pgsql/backups
$ chmod 700 /var/pgsql/backups
$ chcon system_u:object_r:var_t /var/pgsql/backups
$ chcon system_u:object_r:postgresql_db_t /var/pgsql/data
$ touch /var/pgsql/pgstartup.log
$ chmod 600 /var/pgsql/pgstartup.log
$ chcon system_u:object_r:postgresql_log_t /var/pgsql/pgstartup.log
$ ls -Z /var/pgsql
drwx------ postgres postgres system_u:object_r:var_t backups
drwx------ postgres postgres system_u:object_r:postgresql_db_t data
drwx------ root root system_u:object_r:file_t lost+found
-rw------- postgres postgres system_u:object_r:postgresql_log_t pgstartup.log
$ ls -Z /var/lib/pgsql
drwx------ postgres postgres system_u:object_r:var_lib_t backups
drwx------ postgres postgres system_u:object_r:postgresql_db_t data
-rw------- postgres postgres system_u:object_r:postgresql_log_t pgstartup.log
Which looks correct. At least our ownership, file attributes and file context all match the original. Note that I left the context of some things as system_u:object_r:var_t instead of system_u:object_r:var_lib_t.
Now for the hard part, we have to look at ALL of the subdirectory contents under /var/lib/pgsql and match them up in the new location:
$ cd /var/lib/pgsql ; ls -RZ
.:
drwx------ postgres postgres system_u:object_r:var_lib_t backups
drwx------ postgres postgres system_u:object_r:postgresql_db_t data
-rw------- postgres postgres system_u:object_r:postgresql_log_t pgstartup.log
./backups:
./data:
drwx------ postgres postgres user_u:object_r:postgresql_db_t base
drwx------ postgres postgres user_u:object_r:postgresql_db_t global
drwx------ postgres postgres user_u:object_r:postgresql_db_t pg_clog
-rw------- postgres postgres user_u:object_r:postgresql_db_t pg_hba.conf
-rw------- postgres postgres user_u:object_r:postgresql_db_t pg_ident.conf
drwx------ postgres postgres user_u:object_r:postgresql_db_t pg_log
drwx------ postgres postgres user_u:object_r:postgresql_db_t pg_multixact
drwx------ postgres postgres user_u:object_r:postgresql_db_t pg_subtrans
drwx------ postgres postgres user_u:object_r:postgresql_db_t pg_tblspc
drwx------ postgres postgres user_u:object_r:postgresql_db_t pg_twophase
-rw------- postgres postgres user_u:object_r:postgresql_db_t PG_VERSION
drwx------ postgres postgres user_u:object_r:postgresql_db_t pg_xlog
-rw------- postgres postgres user_u:object_r:postgresql_db_t postgresql.conf
-rw------- postgres postgres system_u:object_r:postgresql_db_t postmaster.opts
./data/base:
drwx------ postgres postgres user_u:object_r:postgresql_db_t 1
drwx------ postgres postgres user_u:object_r:postgresql_db_t 10792
drwx------ postgres postgres user_u:object_r:postgresql_db_t 10793
./data/base/1:
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10287
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10289
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10293
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10295
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10299
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10301
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10302
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10304
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10305
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10307
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10308
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10310
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10723
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10725
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10727
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10728
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10730
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10732
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10733
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10735
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10737
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10738
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10740
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10742
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10743
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10745
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10747
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10748
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10750
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10752
-rw------- postgres postgres user_u:object_r:postgresql_db_t 1247
-rw------- postgres postgres user_u:object_r:postgresql_db_t 1248
-rw------- postgres postgres user_u:object_r:postgresql_db_t 1249
-rw------- postgres postgres user_u:object_r:postgresql_db_t 1250
-rw------- postgres postgres user_u:object_r:postgresql_db_t 1255
-rw------- postgres postgres user_u:object_r:postgresql_db_t 1259
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2600
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2601
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2602
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2603
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2604
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2605
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2606
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2607
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2608
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2609
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2610
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2611
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2612
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2613
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2614
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2615
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2616
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2617
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2618
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2619
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2620
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2650
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2651
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2652
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2653
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2654
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2655
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2656
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2657
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2658
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2659
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2660
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2661
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2662
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2663
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2664
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2665
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2666
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2667
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2668
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2669
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2670
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2673
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2674
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2675
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2678
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2679
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2680
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2681
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2682
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2683
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2684
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2685
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2686
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2687
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2688
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2689
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2690
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2691
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2692
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2693
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2696
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2699
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2700
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2701
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2702
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2703
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2704
-rw------- postgres postgres user_u:object_r:postgresql_db_t PG_VERSION
./data/base/10792:
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10287
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10289
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10293
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10295
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10299
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10301
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10302
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10304
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10305
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10307
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10308
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10310
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10723
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10725
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10727
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10728
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10730
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10732
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10733
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10735
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10737
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10738
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10740
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10742
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10743
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10745
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10747
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10748
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10750
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10752
-rw------- postgres postgres user_u:object_r:postgresql_db_t 1247
-rw------- postgres postgres user_u:object_r:postgresql_db_t 1248
-rw------- postgres postgres user_u:object_r:postgresql_db_t 1249
-rw------- postgres postgres user_u:object_r:postgresql_db_t 1250
-rw------- postgres postgres user_u:object_r:postgresql_db_t 1255
-rw------- postgres postgres user_u:object_r:postgresql_db_t 1259
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2600
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2601
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2602
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2603
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2604
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2605
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2606
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2607
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2608
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2609
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2610
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2611
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2612
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2613
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2614
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2615
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2616
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2617
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2618
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2619
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2620
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2650
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2651
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2652
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2653
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2654
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2655
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2656
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2657
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2658
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2659
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2660
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2661
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2662
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2663
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2664
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2665
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2666
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2667
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2668
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2669
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2670
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2673
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2674
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2675
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2678
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2679
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2680
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2681
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2682
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2683
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2684
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2685
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2686
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2687
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2688
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2689
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2690
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2691
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2692
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2693
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2696
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2699
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2700
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2701
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2702
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2703
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2704
-rw------- postgres postgres user_u:object_r:postgresql_db_t PG_VERSION
./data/base/10793:
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10287
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10289
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10293
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10295
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10299
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10301
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10302
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10304
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10305
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10307
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10308
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10310
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10723
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10725
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10727
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10728
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10730
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10732
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10733
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10735
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10737
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10738
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10740
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10742
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10743
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10745
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10747
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10748
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10750
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10752
-rw------- postgres postgres user_u:object_r:postgresql_db_t 1247
-rw------- postgres postgres user_u:object_r:postgresql_db_t 1248
-rw------- postgres postgres user_u:object_r:postgresql_db_t 1249
-rw------- postgres postgres user_u:object_r:postgresql_db_t 1250
-rw------- postgres postgres user_u:object_r:postgresql_db_t 1255
-rw------- postgres postgres user_u:object_r:postgresql_db_t 1259
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2600
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2601
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2602
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2603
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2604
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2605
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2606
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2607
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2608
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2609
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2610
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2611
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2612
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2613
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2614
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2615
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2616
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2617
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2618
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2619
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2620
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2650
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2651
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2652
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2653
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2654
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2655
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2656
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2657
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2658
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2659
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2660
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2661
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2662
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2663
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2664
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2665
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2666
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2667
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2668
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2669
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2670
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2673
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2674
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2675
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2678
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2679
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2680
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2681
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2682
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2683
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2684
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2685
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2686
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2687
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2688
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2689
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2690
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2691
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2692
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2693
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2696
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2699
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2700
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2701
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2702
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2703
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2704
-rw------- postgres postgres system_u:object_r:postgresql_db_t pg_internal.init
-rw------- postgres postgres user_u:object_r:postgresql_db_t PG_VERSION
./data/global:
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10290
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10292
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10296
-rw------- postgres postgres user_u:object_r:postgresql_db_t 10298
-rw------- postgres postgres user_u:object_r:postgresql_db_t 1136
-rw------- postgres postgres user_u:object_r:postgresql_db_t 1137
-rw------- postgres postgres user_u:object_r:postgresql_db_t 1213
-rw------- postgres postgres user_u:object_r:postgresql_db_t 1214
-rw------- postgres postgres user_u:object_r:postgresql_db_t 1232
-rw------- postgres postgres user_u:object_r:postgresql_db_t 1233
-rw------- postgres postgres user_u:object_r:postgresql_db_t 1260
-rw------- postgres postgres user_u:object_r:postgresql_db_t 1261
-rw------- postgres postgres user_u:object_r:postgresql_db_t 1262
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2671
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2672
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2676
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2677
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2694
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2695
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2697
-rw------- postgres postgres user_u:object_r:postgresql_db_t 2698
-rw------- postgres postgres system_u:object_r:postgresql_db_t pg_auth
-rw------- postgres postgres user_u:object_r:postgresql_db_t pg_control
-rw------- postgres postgres system_u:object_r:postgresql_db_t pg_database
-rw------- postgres postgres system_u:object_r:postgresql_db_t pg_fsm.cache
-rw------- postgres postgres system_u:object_r:postgresql_db_t pgstat.stat
./data/pg_clog:
-rw------- postgres postgres user_u:object_r:postgresql_db_t 0000
./data/pg_log:
-rw------- postgres postgres system_u:object_r:postgresql_db_t postgresql-Mon.log
-rw------- postgres postgres system_u:object_r:postgresql_db_t postgresql-Sat.log
-rw------- postgres postgres system_u:object_r:postgresql_db_t postgresql-Sun.log
-rw------- postgres postgres system_u:object_r:postgresql_db_t postgresql-Tue.log
./data/pg_multixact:
drwx------ postgres postgres user_u:object_r:postgresql_db_t members
drwx------ postgres postgres user_u:object_r:postgresql_db_t offsets
./data/pg_multixact/members:
-rw------- postgres postgres user_u:object_r:postgresql_db_t 0000
./data/pg_multixact/offsets:
-rw------- postgres postgres user_u:object_r:postgresql_db_t 0000
./data/pg_subtrans:
-rw------- postgres postgres user_u:object_r:postgresql_db_t 0000
./data/pg_tblspc:
./data/pg_twophase:
./data/pg_xlog:
-rw------- postgres postgres user_u:object_r:postgresql_db_t 000000010000000000000000
drwx------ postgres postgres user_u:object_r:postgresql_db_t archive_status
./data/pg_xlog/archive_status:
$
Keep that list open in a text editor, or something else because you'll need to refer to it frequently. We can fix most of it by making everything set to context "user_u:object_r:postgresql_db_t" to start. Which is a brute-force approach.
$ chcon -R user_u:object_r:postgresql_db_t *
Now we can go and start fixing things that should not be that particular context. Now, it's quite probable that this is overkill, but I believe in being thorough.
$ chcon system_u:object_r:postgresql_db_t postmaster.opts
$ find . -name pg_internal.init -exec chcon system_u:object_r:postgresql_db_t {} \;
$ chcon system_u:object_r:postgresql_db_t global/pg_auth
$ chcon system_u:object_r:postgresql_db_t global/pg_database
$ chcon system_u:object_r:postgresql_db_t global/pg_fsm.cache
(file may not exist)
$ chcon system_u:object_r:postgresql_db_t global/pgstat.stat
$ chcon system_u:object_r:postgresql_db_t pg_log/postgresql-*.log
At this point, your postgresql data directory SHOULD be configured correctly. (No guarantees!) So now you can restart postgresql (/etc/init.d/postgresql start) and it will work properly in the new location.
Notes:
- Tested on CentOS 5 (or CentOS 5.1), it should also work on RedHat Linux.
- If you ever re-tag the entire filesystem with SELinux, you will (probably) have to go back and re-tag your postgresql data directory.
- Because of the above note, it may be better to mount the LVM or SAN partition for PostgreSQL at the default location of /var/lib/pgsql instead of forcing it into another location. On the other hand, as long as you know how to fix it and don't re-tag indiscriminately, SELinux should never get in the way again.
Labels: PostgreSQL, SELinux
Thursday, July 05, 2007
SELinux is preventing named from write access
It seems like the SELinux profile in CentOS5 may not be correct by default. In my /var/log/messages file, I have thousands of entries per month consisting of:
Jul 4 05:01:04 fw1-hosho setroubleshoot: SELinux is preventing /usr/sbin/named (named_t) "write" access to named (named_conf_t). For complete SELinux messages. run sealert -l 663ea169-d194-4c49-a5bb-a6a4bb707990
Here's the output of the sealert command:
The most helpful web page that I've found so far is the thread "Permissions Issue starting Bind 9.3.1". The gist seems to be that RedHat (and CentOS) are using a chroot bind installation in conjunction with an SELinux policy that expects the bind configuration files to be in a non-chroot setup. But there aren't very clear instructions there on fixing it.
Jul 4 05:01:04 fw1-hosho setroubleshoot: SELinux is preventing /usr/sbin/named (named_t) "write" access to named (named_conf_t). For complete SELinux messages. run sealert -l 663ea169-d194-4c49-a5bb-a6a4bb707990
Here's the output of the sealert command:
# sealert -l 663ea169-d194-4c49-a5bb-a6a4bb707990
Summary
SELinux is preventing /usr/sbin/named (named_t) "write" access to named
(named_conf_t).
Detailed Description
SELinux denied access requested by /usr/sbin/named. It is not expected that
this access is required by /usr/sbin/named and this access may signal an
intrusion attempt. It is also possible that the specific version or
configuration of the application is causing it to require additional access.
Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this
package.
Allowing Access
Sometimes labeling problems can cause SELinux denials. You could try to
restore the default system file context for named, restorecon -v named.
There is currently no automatic way to allow this access. Instead, you can
generate a local policy module to allow this access - see
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 - or you can
disable SELinux protection entirely for the application. Disabling SELinux
protection is not recommended. Please file a
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
Changing the "named_disable_trans" boolean to true will disable SELinux
protection this application: "setsebool -P named_disable_trans=1."
The following command will allow this access:
setsebool -P named_disable_trans=1
Additional Information
Source Context system_u:system_r:named_t
Target Context root:object_r:named_conf_t
Target Objects named [ dir ]
Affected RPM Packages bind-9.3.3-8.el5 [application]
Policy RPM selinux-policy-2.4.6-30.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.disable_trans
Host Name fw1-shimo.hq.example.org.
Platform Linux fw1-shimo.hq.example.org.
2.6.18-8.1.6.el5 #1 SMP Thu Jun 14 17:29:04 EDT
2007 x86_64 x86_64
Alert Count 70481
Line Numbers
Raw Audit Messages
avc: denied { write } for comm="named" dev=md1 egid=25 euid=25
exe="/usr/sbin/named" exit=-13 fsgid=25 fsuid=25 gid=25 items=0 name="named"
pid=2628 scontext=system_u:system_r:named_t:s0 sgid=25
subj=system_u:system_r:named_t:s0 suid=25 tclass=dir
tcontext=root:object_r:named_conf_t:s0 tty=(none) uid=25
The most helpful web page that I've found so far is the thread "Permissions Issue starting Bind 9.3.1". The gist seems to be that RedHat (and CentOS) are using a chroot bind installation in conjunction with an SELinux policy that expects the bind configuration files to be in a non-chroot setup. But there aren't very clear instructions there on fixing it.
Monday, July 02, 2007
LVM and SELinux
I was a bit perplexed... I had created a LV called /dev/vg/svn, had it mounted, was reading/writing data to it with no issues. But after I rebooted the CentOS5 server, I'm unable to mount the LV.
So lvdisplay knows that the LV is there, but only if I tell it to look at the VG named "vg".
...
Turns out that it's an SELinux issue. Because SELinux was blocking access to the /etc/lvm/.cache file, it was causing problems. Fixing it was as simple as:
[root@localhost /]# /usr/sbin/pvscan
PV /dev/md6 VG vg lvm2 [144.78 GB / 59.78 GB free]
Total: 1 [144.78 GB] / in use: 1 [144.78 GB] / in no VG: 0 [0 ]
[root@localhost /]# /usr/sbin/vgscan
Reading all physical volumes. This may take a while...
Found volume group "vg" using metadata type lvm2
[root@localhost /]# /usr/sbin/lvscan
No volume groups found
[root@localhost /]# /usr/sbin/lvdisplay
No volume groups found
[root@localhost /]# /usr/sbin/lvdisplay vg
--- Logical volume ---
LV Name /dev/vg/svn
VG Name vg
LV UUID taYjia-BWWs-IWG3-313k-VoC2-ghik-01mFCg
LV Write Access read/write
LV Status NOT available
LV Size 85.00 GB
Current LE 21760
Segments 1
Allocation inherit
Read ahead sectors 0
[root@localhost /]#
So lvdisplay knows that the LV is there, but only if I tell it to look at the VG named "vg".
...
Turns out that it's an SELinux issue. Because SELinux was blocking access to the /etc/lvm/.cache file, it was causing problems. Fixing it was as simple as:
# cd /etc/lvm
# /sbin/restorecon -v .cache
# /usr/sbin/lvscan
inactive '/dev/vg/svn' [85.00 GB] inherit
Sunday, July 01, 2007
CentOS5: Moving /var/log to a separate volume
One thing I like to do is put /var/log on its own volume. That keeps the root volume from overflowing and also gets the log files out of the way. However, in CentOS5 (and probably RHEL5), SELinux is probably going to complain unless we tell it to "fixup" the new filesystem.
AFAIK, that's the extent of what's needed. Looking at the directory listings using "ls -lZ" seems to show the correct SELinux flags on the files between the two different directories.
- Create the filesystem (I use ext3, so # /sbin/mke2fs -j /dev/mdX)
- Mount it at a temporary location: # mkdir /mnt/log ; mount /dev/mdX /mnt/log
- Copy the contents: # cp -a /var/log/* /mnt/log/
- It may be necessary to "fixup" the new volume: # cd /mnt/log ; /sbin/restorecon -R *
- Edit the /etc/fstab file to mount the new volume at /var/log
- Reboot
AFAIK, that's the extent of what's needed. Looking at the directory listings using "ls -lZ" seems to show the correct SELinux flags on the files between the two different directories.
Labels: CentOS5, SELinux, ServerAdministration
Sunday, May 27, 2007
Squid, SELinux and using a separate volume for the cache_dir
This was a slightly tricky one. I'm running CentOS5 with SELinux and I was trying to setup Squid to put its cache_dir on a LVM volume (to keep it from using up space on the root partition).
# /etc/init.d/squid stop
# cd /var/spool
# lvcreate -L64G -nvar-spool-squid vg
# mke2fs -j /dev/vg/var-spool-squid
# mkdir /mnt/squid ; mount /dev/vg/var-spool-squid squid
# cp -a /var/spool/squid/* /mnt/squid/
# cd /var/spool/squid
# rm -rf *
# cd /var/spool
# mount /dev/vg/var-spools-squid squid
# /etc/init.d/squid start
Starting squid: /etc/init.d/squid: line 53: 9440 Aborted $SQUID $SQUID_OPTS >>/var/log/squid/squid.out 2>&1
[FAILED]
# tail /var/log/messages
May 27 21:50:48 fw1-hosho setroubleshoot: SELinux is preventing /usr/sbin/named (named_t) "write" access to named (named_conf_t). For complete SELinux messages. run sealert -l 663ea169-d194-4c49-a5bb-a6a4bb707990
May 27 22:39:26 fw1-hosho squid: cache_dir /var/spool/squid: (13) Permission denied
...
So, the problem is that SELinux had not yet been told to look at the newly created volume (a LVM volume mounted on /var/spool/squid). Fixing this was rather simple once you know about the restorecon command.
# cd /var/spool/squid
# /usr/sbin/squid -z
# /sbin/restorecon -R *
# /etc/init.d/squid start
# /etc/init.d/squid stop
# cd /var/spool
# lvcreate -L64G -nvar-spool-squid vg
# mke2fs -j /dev/vg/var-spool-squid
# mkdir /mnt/squid ; mount /dev/vg/var-spool-squid squid
# cp -a /var/spool/squid/* /mnt/squid/
# cd /var/spool/squid
# rm -rf *
# cd /var/spool
# mount /dev/vg/var-spools-squid squid
# /etc/init.d/squid start
Starting squid: /etc/init.d/squid: line 53: 9440 Aborted $SQUID $SQUID_OPTS >>/var/log/squid/squid.out 2>&1
[FAILED]
# tail /var/log/messages
May 27 21:50:48 fw1-hosho setroubleshoot: SELinux is preventing /usr/sbin/named (named_t) "write" access to named (named_conf_t). For complete SELinux messages. run sealert -l 663ea169-d194-4c49-a5bb-a6a4bb707990
May 27 22:39:26 fw1-hosho squid: cache_dir /var/spool/squid: (13) Permission denied
# /usr/bin/sealert -l 626e75b4-32aa-4a61-88f7-f36a68fecd35
Summary
SELinux is preventing access to files with the label, file_t.
Detailed Description
SELinux permission checks on files labeled file_t are being denied. file_t
is the context the SELinux kernel gives to files that do not have a label.
This indicates a serious labeling problem. No files on an SELinux box should
ever be labeled file_t. If you have just added a new disk drive to the
system you can relabel it using the restorecon command. Otherwise you
should relabel the entire files system.
Allowing Access
You can execute the following command as root to relabel your computer
system: "touch /.autorelabel; reboot"
Additional Information
Source Context user_u:system_r:squid_t
Target Context user_u:object_r:file_t
Target Objects /var/spool/squid/00 [ dir ]
Affected RPM Packages squid-2.6.STABLE6-4.el5 [application]
Policy RPM selinux-policy-2.4.6-30.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.file
Host Name fw1-hosho.intra.example.com.
Platform Linux fw1-hosho.intra.example.com. 2.6.18-8.1.4.el5
#1 SMP Thu May 17 03:16:52 EDT 2007 x86_64 x86_64
Alert Count 10
Line Numbers
Raw Audit Messages
avc: denied { getattr } for comm="squid" dev=dm-0 egid=23 euid=23
exe="/usr/sbin/squid" exit=-13 fsgid=23 fsuid=23 gid=23 items=0 name="00"
path="/var/spool/squid/00" pid=9584 scontext=user_u:system_r:squid_t:s0 sgid=23
subj=user_u:system_r:squid_t:s0 suid=0 tclass=dir
tcontext=user_u:object_r:file_t:s0 tty=(none) uid=23...
So, the problem is that SELinux had not yet been told to look at the newly created volume (a LVM volume mounted on /var/spool/squid). Fixing this was rather simple once you know about the restorecon command.
# cd /var/spool/squid
# /usr/sbin/squid -z
# /sbin/restorecon -R *
# /etc/init.d/squid start
Sections:
Recent posts:
Update #1 to Current frustrations with Thunderbird...
Current frustrations with Thunderbird
SELinux - dealing with exceptions
Linux RAID tuning and troubleshooting
ngg.js and fgg.js site infections
Annual Index:
Copyright 2003-2006, Thomas G. Harold, All Rights Reserved
