On 07/23/2010 01:50 PM, Marcelo Roccasalva wrote: > Anyway, what are the best practices to allow postgresql "copy to" a > subdirectory of a home directory (without disabling selinux)? I'm > running centos 5.5. The first thing you'll want to do is enable auditing. One of the items in Fedora's SELinux FAQ (http://docs.fedoraproject.org/en-US/Fedora/13/html/SELinux_FAQ/) indicates that you'd do so with: # semodule -b /usr/share/selinux/targeted/enableaudit.pp Once auditing is enabled, make sure SELinux is in permissive mode. Start watching the audit log for your denial messages: # tail -f /var/log/audit/audit.log Ask the SQL server to "copy to" a denied location again. When it completes, use Ctrl+C to cancel the log "tail" and then re-enable the standard "dontaudit" rules: # semodule -b /usr/share/selinux/targeted/base.pp Now that you have the audit logs that correspond to the denial which you'd like to reverse, you can create a new module to allow that access. Use "audit2allow" to create the module. You can name the module whatever you like. Paste the lines from audit.log which correspond to the access you'd like to allow. When finished, use Ctrl+D to indicate the end of input: # audit2allow -M allowPostToHome > paste logs > Ctrl+D audit2allow will create a module source file called allowPostToHome.te and then compile it to a file called allowPostToHome.pp. It will indicate that you need to load the module file with semodule, which you'll need to do: # semodule -i allowPostToHome.pp After that, PostgreSQL should be able to perform the action which was previously denied, but still retains other aspects of its SELinux configuration. Once the module is loaded, the policy has been changed. semodule will also copy the module file to a location where it will be loaded on future system boots so that it remains active.