21.4 .1. Post greSQL Changing Dat abase Locat ion
When using Red Hat Enterprise Linux, the default location for PostgreSQL to store its database is /var/l i b/pg sq l /d ata/. This is where SELinux expects it to be by default, and hence this area is already labeled appropriately for you, using the po stg resq l _d b_t type.
The area where the database is located can be changed depending on individual environment requirements or preferences, however it is important that SELinux is aware of this new location; that it is labeled accordingly. This example explains how to change the location of a PostgreSQL database and then how to label the new location so that SELinux can still provide its protection mechanisms to the new area based on its contents.
Note that this is an example only and demonstrates how SELinux can affect PostgreSQL.
Comprehensive documentation of PostgreSQL is beyond the scope of this document. Refer to the official PostgreSQL documentation for further details. This example assumes that the postgresql-server package is installed.
1. View the SELinux context of the default database location for po stg resq l:
~]# l s -l Z /var/l i b/pg sq l
drwx---. postgres postgres system_u:object_r:postgresql_db_t:s0 data
This shows po stg resq l _d b_t which is the default context element for the location of database files. This context will have to be manually applied to the new database location that will be used in this example in order for it to function properly.
2. Create a new directory for the new location of the database(s). In this example,
/o pt/po stg resq l /d ata/ is used. If you use a different location, replace the text in the following steps with your location:
~]# mkd i r -p /o pt/po stg resq l /d ata
3. Perform a directory listing of the new location. Note that the initial context of the new directory is usr_t. This context is not sufficient for SELinux to offer its protection mechanisms to PostgreSQL. Once the context has been changed, it will be able to function properly in the new area.
~]# l s -l Z /o pt/po stg resq l /
drwxr-xr-x. root root unconfined_u:object_r:usr_t:s0 data
4. Change the ownership of the new location to allow access by the postgres user and group.
This sets the traditional Unix permissions which SELinux will still observe.
~]# cho wn -R po stg res: po stg res /o pt/po stg resq l
5. Open the PostgreSQL init file /etc/rc. d /i ni t. d /po stg resq l with a text editor and modify the P G D AT A and P G LO G variables to point to the new location:
~]# vi /etc/rc. d /i ni t. d /po stg resq l PGDATA=/opt/postgresql/data
PGLOG=/opt/postgresql/data/pgstartup.log Save this file and exit the text editor.
6. Initialize the database in the new location:
~]$ su - po stg res -c "i ni td b -D /o pt/po stg resq l /d ata"
7. Having changed the database location, starting the service will fail at this point:
~]# systemctl start po stg resq l . servi ce
Job for postgresql.service failed. See 'systemctl status postgresql.service' and 'journalctl -xn' for details.
SELinux has caused the service to not start. This is because the new location is not properly labeled. The following steps explain how to label the new location (/o pt/po stg resq l /) and start the postgresql service properly:
8. Use the semanag e utility to add a context mapping for /o pt/po stg resq l / and any other directories/files within it:
~]# semanag e fco ntext -a -t po stg resq l _d b_t
"/o pt/po stg resq l (/. *)?"
9. This mapping is written to the
/etc/sel i nux/targ eted /co ntexts/fi l es/fi l e_co ntexts. l o cal file:
~]# g rep -i po stg resq l
/etc/sel i nux/targ eted /co ntexts/fi l es/fi l e_co ntexts. l o cal /opt/postgresql(/.*)? system_u:object_r:postgresql_db_t:s0 10. Now use the resto reco n utility to apply this context mapping to the running system:
~]# resto reco n -R -v /o pt/po stg resq l
11. Now that the /o pt/po stg resq l / location has been labeled with the correct context for PostgreSQL, the po stg resq l service will start successfully:
~]# systemctl start po stg resq l . servi ce 12. Confirm the context is correct for /o pt/po stg resq l /:
~]$ l s -l Z /o pt
drwxr-xr-x. root root system_u:object_r:postgresql_db_t:s0 postgresql
13. Check with the ps command that the po stg resq l process displays the new location:
~]# ps aux | g rep -i po stmaster
postgres 21564 0.3 0.3 42308 4032 ? S 10:13 0:00 /usr/bin/postmaster -p 5432 -D /opt/postgresql/data/
14. The location has been changed and labeled, and po stg resq l has started successfully. At this point all running services should be tested to confirm normal operation.
[22] Refer to the Po stg reSQ L p ro ject p ag e fo r mo re info rmatio n.
Chapter 22. rsync
The rsync utility performs fast file transfer and it is used for synchronizing data between systems.
When using Red Hat Enterprise Linux, the rsync package provides rsync. Run the following command to see if the rsync package is installed:
~]$ rpm -q rsync
package rsync is not installed
If it is not installed, use the yum utility as root to install it:
~]# yum i nstal l rsync
22.1. rsync and SELinux
SELinux requires files to have an extended attribute to define the file type. Policy governs the access daemons have to these files. If you want to share files using the rsync daemon, you must label the files and directories with the publ i c_co ntent_t type. Like most services, correct labeling is required for SELinux to perform its protection mechanisms over rsync.
22.2. T ypes
Type Enforcement is the main permission control used in SELinux targeted policy. All files and processes are labeled with a type: types define a domain for processes and a type for files. SELinux policy rules define how types access each other, whether it be a domain accessing a type, or a domain accessing another domain. Access is only allowed if a specific SELinux policy rule exists that allows it.
The following types are used with rsync. Different types all you to configure flexible access:
publ i c_co ntent_t
This is a generic type used for the location of files (and the actual files) to be shared using rsync. If a special directory is created to house files to be shared with rsync, the directory and its contents need to have this label applied to them.
rsync_exec_t
This type is used for the /usr/bi n/rsync system binary.
rsync_l o g _t
This type is used for the rsync log file, located at /var/l o g /rsync. l o g by default. To change the location of the file rsync logs to, use the --l o g -fi l e= FILE option to the rsync command at run-time.
rsync_var_run_t
This type is used for the rsyncd lock file, located at /var/run/rsyncd . l o ck. This lock file is used by the rsync server to manage connection limits.
rsync_d ata_t [23]
[24]
This type is used for files and directories which you want to use as rsync domains and isolate them from the access scope of other services. Also, the publ i c_co ntent_t is a general SELinux context type, which can be used when a file or a directory interacts with multiple services (for example, FTP and NFS directory as an rsync domain).
rsync_etc_t
This type is used for rsync-related files in the /etc/ directory.
22.3. Booleans
SELinux is based on the least level of access required for a service to run. Services can be run in a variety of ways; therefore, you need to specify how you run your services. Use the following Booleans to set up SELinux:
rsync_ano n_wri te
Having this Boolean enabled allows rsync in the rsync_t domain to manage files, links and directories that have a type of publ i c_co ntent_rw_t. Often these are public files used for public file transfer services. Files and directories must be labeled this type.
rsync_cl i ent
Having this Boolean enabled allows rsync to initiate connections to ports defined as rsync_po rt_t, as well as allowing the daemon to manage files, links, and directories that have a type of rsync_d ata_t. Note that rsync must be in the rsync_t domain in order for SELinux to enact its control over it. The configuration example in this chapter demonstrates rsync running in the rsync_t domain.
rsync_expo rt_al l _ro
Having this Boolean enabled allows rsync in the rsync_t domain to export NFS and CIFS volumes with read-only access to clients.
Note
Due to the continuous development of the SELinux policy, the list above might not contain all Booleans related to the service at all times. To list them, run the following command:
~]$ g etsebo o l -a | g rep service_name
Run the following command to view description of a particular Boolean:
~]$ sepo l i cy bo o l eans -b boolean_name
Note that the additional policycoreutils-devel package providing the sepo l i cy utility is required.