CentOS - Jul 2010 - postgresql copy to and selinux

I need to run a "copy table to '/home/user/dir/copy.txt';" but
I get
permission denied. Filesystem dir modes are ok and I get no event
logged in audit.log, but if I setenforce 0, I can do the copy. This
explains auditd silence:

# sesearch --audit |egrep postgres.*home
   dontaudit postgresql_t user_home_dir_t : dir { getattr search };
   dontaudit postgresql_t home_root_t : dir { getattr search };

I changed the "dir" type to tmpfs_t and I could write with
"\copy" but
not with "copy".

Anyway, what are the best practices to allow postgresql "copy to" a
subdirectory of a home directory (without disabling selinux)? I'm
running centos 5.5.

-- 
Marcelo

"?No ser? acaso que ?sta vida moderna est? teniendo m?s de moderna que
de vida?" (Mafalda)

On 07/23/2010 01:50 PM, Marcelo Roccasalva wrote:
> Anyway, what are the best practices to allow postgresql "copy to"
a
> subdirectory of a home directory (without disabling selinux)? I'm
> running centos 5.5.
The first thing you'll want to do is enable auditing.  One of the items 
in Fedora's SELinux FAQ 
(http://docs.fedoraproject.org/en-US/Fedora/13/html/SELinux_FAQ/) 
indicates that you'd do so with:
# semodule -b /usr/share/selinux/targeted/enableaudit.pp

Once auditing is enabled, make sure SELinux is in permissive mode. 
Start watching the audit log for your denial messages:
# tail -f /var/log/audit/audit.log

Ask the SQL server to "copy to" a denied location again.  When it 
completes, use Ctrl+C to cancel the log "tail" and then re-enable the 
standard "dontaudit" rules:
# semodule -b /usr/share/selinux/targeted/base.pp

Now that you have the audit logs that correspond to the denial which 
you'd like to reverse, you can create a new module to allow that 
access.	 Use "audit2allow" to create the module.  You can name the 
module whatever you like.  Paste the lines from audit.log which 
correspond to the access you'd like to allow.  When finished, use Ctrl+D 
to indicate the end of input:
# audit2allow -M allowPostToHome
 > paste logs
 > Ctrl+D

audit2allow will create a module source file called allowPostToHome.te 
and then compile it to a file called allowPostToHome.pp.  It will 
indicate that you need to load the module file with semodule, which 
you'll need to do:
# semodule -i allowPostToHome.pp

After that, PostgreSQL should be able to perform the action which was 
previously denied, but still retains other aspects of its SELinux 
configuration.  Once the module is loaded, the policy has been changed. 
  semodule will also copy the module file to a location where it will be 
loaded on future system boots so that it remains active.