[CentOS] postgresql copy to and selinux

Sun Jul 25 17:09:36 UTC 2010
Gordon Messmer <yinyang at eburg.com>

On 07/23/2010 01:50 PM, Marcelo Roccasalva wrote:
> Anyway, what are the best practices to allow postgresql "copy to" a
> subdirectory of a home directory (without disabling selinux)? I'm
> running centos 5.5.

The first thing you'll want to do is enable auditing.  One of the items 
in Fedora's SELinux FAQ 
(http://docs.fedoraproject.org/en-US/Fedora/13/html/SELinux_FAQ/) 
indicates that you'd do so with:
# semodule -b /usr/share/selinux/targeted/enableaudit.pp

Once auditing is enabled, make sure SELinux is in permissive mode. 
Start watching the audit log for your denial messages:
# tail -f /var/log/audit/audit.log

Ask the SQL server to "copy to" a denied location again.  When it 
completes, use Ctrl+C to cancel the log "tail" and then re-enable the 
standard "dontaudit" rules:
# semodule -b /usr/share/selinux/targeted/base.pp

Now that you have the audit logs that correspond to the denial which 
you'd like to reverse, you can create a new module to allow that 
access.	 Use "audit2allow" to create the module.  You can name the 
module whatever you like.  Paste the lines from audit.log which 
correspond to the access you'd like to allow.  When finished, use Ctrl+D 
to indicate the end of input:
# audit2allow -M allowPostToHome
 > paste logs
 > Ctrl+D

audit2allow will create a module source file called allowPostToHome.te 
and then compile it to a file called allowPostToHome.pp.  It will 
indicate that you need to load the module file with semodule, which 
you'll need to do:
# semodule -i allowPostToHome.pp

After that, PostgreSQL should be able to perform the action which was 
previously denied, but still retains other aspects of its SELinux 
configuration.  Once the module is loaded, the policy has been changed. 
  semodule will also copy the module file to a location where it will be 
loaded on future system boots so that it remains active.