Hi list, I'm new to Centos and I've a very small knowledge of selinux use. I can disable it, but I prefer take it on for study. I've a second mirrored device that I use for file sharing. This is the scenario: /dev/md2 mounted on /mnt/data To make samba working I must set the file context to the path at samba_share_t on /mnt/data. After this samba works. Now I'm setting up postgresql on the same machine, and for first disk size I must use /dev/md2. After configuring postgresql script to init the db, and setting up the alternative data path pointing to /mnt/data/pgsql/data, initdb or start postgresql fail. This issue is selinux related. Now, directory /mnt/data/pgsql/data, has fcontext to samba_share_t and postgresql init script give permission denied on /mnt/data/pgsql/data/postgresql.conf. At this point I've tried to set with chcon /mnt/data at postgresql_db_t, rerun initdb and /etc/init.d/postgresql start and all works fine, except for samba. I can't access anymore the share (for context change). I've tried to set: /mnt/data to samba_share_t /mnt/data/pgsql to postgresql_db_t but with this config is pgsql that does not work. At this point, is possible set to /mnt/data a multiple context to make samba and postgresql to get working on the same path, or I must use "public....." It's a better choice mount /dev/md2 on /mnt/data, make to dirs, one for pgsql and another for sambashare, set relative context and start services? Thanks in advance. Alessandro.
On 3/31/2014 7:18 AM, Alessandro Baggi wrote:> It's a better choice mount /dev/md2 on /mnt/data, make to dirs, one for > pgsql and another for sambashare, set relative context and start services?well, its not a good practice to have your postgres data directory in a shared location, as nothing other than the postgres server should be looking at it. -- john r pierce 37N 122W somewhere on the middle of the left coast
Do you actually want the data to be available to both domains at the same time? Or could you setup different directories? If you want them to be both available you could label it postgresql_db_t, and then turn on the samba_export_all_ro_boolean or samba_export_all_rw_boolean. If this was to loose you could run in permissive mode and gather the AVC's and then use audit2allow to build a custom policy module for your access. On 03/31/2014 10:18 AM, Alessandro Baggi wrote:> Hi list, > I'm new to Centos and I've a very small knowledge of selinux use. > > I can disable it, but I prefer take it on for study. > > I've a second mirrored device that I use for file sharing. > This is the scenario: > > /dev/md2 mounted on /mnt/data > > To make samba working I must set the file context to the path at > samba_share_t on /mnt/data. After this samba works. > > Now I'm setting up postgresql on the same machine, and for first disk > size I must use /dev/md2. > > After configuring postgresql script to init the db, and setting up the > alternative data path pointing to /mnt/data/pgsql/data, initdb or start > postgresql fail. This issue is selinux related. > > Now, directory /mnt/data/pgsql/data, has fcontext to samba_share_t and > postgresql init script give permission denied on > /mnt/data/pgsql/data/postgresql.conf. > > At this point I've tried to set with chcon /mnt/data at postgresql_db_t, > rerun initdb and /etc/init.d/postgresql start and all works fine, except > for samba. I can't access anymore the share (for context change). > > I've tried to set: > > /mnt/data to samba_share_t > /mnt/data/pgsql to postgresql_db_t > > but with this config is pgsql that does not work. > > At this point, is possible set to /mnt/data a multiple context to make > samba and postgresql to get working on the same path, or I must use > "public....." > > It's a better choice mount /dev/md2 on /mnt/data, make to dirs, one for > pgsql and another for sambashare, set relative context and start services? > > > Thanks in advance. > > Alessandro. > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos
Possibly Parallel Threads
- How to have more than on SELinux context on a directory
- Samba HOWTO wiki bug: chcon samba_share_t
- How to have more than on SELinux context on a directory
- Samba HOWTO wiki bug: chcon samba_share_t
- Can an ISO be specified allow mount "setsebool -P allow_mount_iso=1" insted of "setsebool -P allow_mount_anyfile=1" SE context samba share