1postgresql_selinux(8)      SELinux Policy postgresql     postgresql_selinux(8)
2
3
4

NAME

6       postgresql_selinux  - Security Enhanced Linux Policy for the postgresql
7       processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the postgresql processes  via  flexible
11       mandatory access control.
12
13       The  postgresql  processes  execute with the postgresql_t SELinux type.
14       You can check if you have these processes running by executing  the  ps
15       command with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep postgresql_t
20
21
22

ENTRYPOINTS

24       The  postgresql_t SELinux type can be entered via the postgresql_exec_t
25       file type.
26
27       The default entrypoint paths for the postgresql_t domain are  the  fol‐
28       lowing:
29
30       /usr/lib(64)?/postgresql/bin/.*,
31       /usr/lib(64)?/pgsql/test/regress/pg_regress,    /usr/bin/(se)?postgres,
32       /usr/bin/initdb(.sepgsql)?
33

PROCESS TYPES

35       SELinux defines process types (domains) for each process running on the
36       system
37
38       You can see the context of a process using the -Z option to ps
39
40       Policy governs the access confined processes have  to  files.   SELinux
41       postgresql  policy is very flexible allowing users to setup their post‐
42       gresql processes in as secure a method as possible.
43
44       The following process types are defined for postgresql:
45
46       postgresql_t
47
48       Note: semanage permissive -a postgresql_t  can  be  used  to  make  the
49       process  type  postgresql_t permissive. SELinux does not deny access to
50       permissive process types, but the AVC (SELinux  denials)  messages  are
51       still generated.
52
53

BOOLEANS

55       SELinux  policy  is customizable based on least access required.  post‐
56       gresql policy is extremely flexible and has several booleans that allow
57       you  to  manipulate  the  policy  and  run postgresql with the tightest
58       access possible.
59
60
61
62       If you want to allow postgresql to use ssh and rsync for  point-in-time
63       recovery,  you  must turn on the postgresql_can_rsync boolean. Disabled
64       by default.
65
66       setsebool -P postgresql_can_rsync 1
67
68
69
70       If you want to allow all daemons to write corefiles to /, you must turn
71       on the allow_daemons_dump_core boolean. Disabled by default.
72
73       setsebool -P allow_daemons_dump_core 1
74
75
76
77       If  you want to allow all daemons to use tcp wrappers, you must turn on
78       the allow_daemons_use_tcp_wrapper boolean. Disabled by default.
79
80       setsebool -P allow_daemons_use_tcp_wrapper 1
81
82
83
84       If you want to allow all daemons the ability to  read/write  terminals,
85       you  must  turn  on  the  allow_daemons_use_tty  boolean.  Disabled  by
86       default.
87
88       setsebool -P allow_daemons_use_tty 1
89
90
91
92       If you want to allow all domains to use other domains file descriptors,
93       you must turn on the allow_domain_fd_use boolean. Enabled by default.
94
95       setsebool -P allow_domain_fd_use 1
96
97
98
99       If  you  want to allow unconfined executables to map a memory region as
100       both executable and writable, this  is  dangerous  and  the  executable
101       should  be  reported  in  bugzilla), you must turn on the allow_execmem
102       boolean. Enabled by default.
103
104       setsebool -P allow_execmem 1
105
106
107
108       If you want to allow confined applications to run  with  kerberos,  you
109       must turn on the allow_kerberos boolean. Enabled by default.
110
111       setsebool -P allow_kerberos 1
112
113
114
115       If  you want to allow sysadm to debug or ptrace all processes, you must
116       turn on the allow_ptrace boolean. Disabled by default.
117
118       setsebool -P allow_ptrace 1
119
120
121
122       If you want to allow users to connect to PostgreSQL, you must  turn  on
123       the allow_user_postgresql_connect boolean. Disabled by default.
124
125       setsebool -P allow_user_postgresql_connect 1
126
127
128
129       If  you  want  to  allow  system  to run with NIS, you must turn on the
130       allow_ypbind boolean. Disabled by default.
131
132       setsebool -P allow_ypbind 1
133
134
135
136       If you want to enable cluster mode for daemons, you must  turn  on  the
137       daemons_enable_cluster_mode boolean. Disabled by default.
138
139       setsebool -P daemons_enable_cluster_mode 1
140
141
142
143       If  you  want to allow all domains to have the kernel load modules, you
144       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
145       default.
146
147       setsebool -P domain_kernel_load_modules 1
148
149
150
151       If you want to allow all domains to execute in fips_mode, you must turn
152       on the fips_mode boolean. Enabled by default.
153
154       setsebool -P fips_mode 1
155
156
157
158       If you want to enable reading of urandom for all domains, you must turn
159       on the global_ssp boolean. Disabled by default.
160
161       setsebool -P global_ssp 1
162
163
164
165       If  you want to allow HTTPD scripts and modules to connect to databases
166       over the network, you must  turn  on  the  httpd_can_network_connect_db
167       boolean. Disabled by default.
168
169       setsebool -P httpd_can_network_connect_db 1
170
171
172
173       If you want to enable support for upstart as the init program, you must
174       turn on the init_upstart boolean. Enabled by default.
175
176       setsebool -P init_upstart 1
177
178
179
180       If you want to allow confined applications to use nscd  shared  memory,
181       you must turn on the nscd_use_shm boolean. Enabled by default.
182
183       setsebool -P nscd_use_shm 1
184
185
186

PORT TYPES

188       SELinux defines port types to represent TCP and UDP ports.
189
190       You  can  see  the  types associated with a port by using the following
191       command:
192
193       semanage port -l
194
195
196       Policy governs the access  confined  processes  have  to  these  ports.
197       SELinux  postgresql  policy  is  very  flexible allowing users to setup
198       their postgresql processes in as secure a method as possible.
199
200       The following port types are defined for postgresql:
201
202
203       postgresql_port_t
204
205
206
207       Default Defined Ports:
208                 tcp 5432
209

MANAGED FILES

211       The SELinux process type postgresql_t can manage files labeled with the
212       following file types.  The paths listed are the default paths for these
213       file types.  Note the processes UID still need to have DAC permissions.
214
215       cluster_conf_t
216
217            /etc/cluster(/.*)?
218
219       cluster_var_lib_t
220
221            /var/lib(64)?/openais(/.*)?
222            /var/lib(64)?/pengine(/.*)?
223            /var/lib(64)?/corosync(/.*)?
224            /usr/lib(64)?/heartbeat(/.*)?
225            /var/lib(64)?/heartbeat(/.*)?
226            /var/lib(64)?/pacemaker(/.*)?
227            /var/lib/cluster(/.*)?
228
229       cluster_var_run_t
230
231            /var/run/crm(/.*)?
232            /var/run/cman_.*
233            /var/run/rsctmp(/.*)?
234            /var/run/aisexec.*
235            /var/run/heartbeat(/.*)?
236            /var/run/cpglockd.pid
237            /var/run/corosync.pid
238            /var/run/rgmanager.pid
239            /var/run/cluster/rgmanager.sk
240
241       faillog_t
242
243            /var/log/btmp.*
244            /var/log/faillog.*
245            /var/log/tallylog.*
246            /var/run/faillock(/.*)?
247
248       hugetlbfs_t
249
250
251       initrc_tmp_t
252
253
254       krb5_host_rcache_t
255
256            /var/cache/krb5rcache(/.*)?
257            /var/tmp/host_0
258            /var/tmp/HTTP_23
259
260       lastlog_t
261
262            /var/log/lastlog.*
263
264       mnt_t
265
266            /mnt(/[^/]*)
267            /mnt(/[^/]*)?
268            /rhev(/[^/]*)?
269            /media(/[^/]*)
270            /media(/[^/]*)?
271            /etc/rhgb(/.*)?
272            /media/.hal-.*
273            /net
274            /afs
275            /rhev
276            /misc
277
278       pcscd_var_run_t
279
280            /var/run/pcscd.events(/.*)?
281            /var/run/pcscd.pid
282            /var/run/pcscd.pub
283            /var/run/pcscd.comm
284
285       postgresql_db_t
286
287            /usr/lib(64)?/pgsql/test/regress(/.*)?
288            /var/lib/pgsql(/.*)?
289            /var/lib/sepgsql(/.*)?
290            /var/lib/postgres(ql)?(/.*)?
291            /var/lib/pgsql/data(/.*)?
292            /usr/share/jonas/pgsql(/.*)?
293
294       postgresql_lock_t
295
296
297       postgresql_log_t
298
299            /var/log/rhdb/rhdb(/.*)?
300            /var/log/postgresql(/.*)?
301            /var/log/postgres.log.*
302            /var/lib/pgsql/logfile(/.*)?
303            /var/log/sepostgresql.log.*
304            /var/lib/pgsql/pgstartup.log.*
305            /var/lib/sepgsql/pgstartup.log.*
306
307       postgresql_tmp_t
308
309
310       postgresql_var_run_t
311
312            /var/run/postgresql(/.*)?
313
314       root_t
315
316            /
317            /initrd
318
319       security_t
320
321
322       tmp_t
323
324            /tmp
325            /usr/tmp
326            /var/tmp
327            /tmp-inst
328            /var/tmp-inst
329            /var/tmp/vi.recover
330
331

FILE CONTEXTS

333       SELinux requires files to have an extended attribute to define the file
334       type.
335
336       You can see the context of a file using the -Z option to ls
337
338       Policy  governs  the  access  confined  processes  have to these files.
339       SELinux postgresql policy is very  flexible  allowing  users  to  setup
340       their postgresql processes in as secure a method as possible.
341
342       EQUIVALENCE DIRECTORIES
343
344
345       postgresql  policy  stores  data  with  multiple different file context
346       types under the /var/lib/sepgsql directory.  If you would like to store
347       the  data  in a different directory you can use the semanage command to
348       create an equivalence mapping.  If you wanted to store this data  under
349       the /srv dirctory you would execute the following command:
350
351       semanage fcontext -a -e /var/lib/sepgsql /srv/sepgsql
352       restorecon -R -v /srv/sepgsql
353
354       postgresql  policy  stores  data  with  multiple different file context
355       types under the /var/lib/pgsql directory.  If you would like  to  store
356       the  data  in a different directory you can use the semanage command to
357       create an equivalence mapping.  If you wanted to store this data  under
358       the /srv dirctory you would execute the following command:
359
360       semanage fcontext -a -e /var/lib/pgsql /srv/pgsql
361       restorecon -R -v /srv/pgsql
362
363       STANDARD FILE CONTEXT
364
365       SELinux  defines  the  file  context  types  for the postgresql, if you
366       wanted to store files with these types in a diffent paths, you need  to
367       execute  the  semanage  command to sepecify alternate labeling and then
368       use restorecon to put the labels on disk.
369
370       semanage fcontext -a  -t  postgresql_var_run_t  '/srv/mypostgresql_con‐
371       tent(/.*)?'
372       restorecon -R -v /srv/mypostgresql_content
373
374       Note:  SELinux  often  uses  regular expressions to specify labels that
375       match multiple files.
376
377       The following file types are defined for postgresql:
378
379
380
381       postgresql_db_t
382
383       - Set files with the postgresql_db_t type, if you  want  to  treat  the
384       files as postgresql database content.
385
386
387       Paths:
388            /usr/lib(64)?/pgsql/test/regress(/.*)?,      /var/lib/pgsql(/.*)?,
389            /var/lib/sepgsql(/.*)?,              /var/lib/postgres(ql)?(/.*)?,
390            /var/lib/pgsql/data(/.*)?, /usr/share/jonas/pgsql(/.*)?
391
392
393       postgresql_etc_t
394
395       -  Set files with the postgresql_etc_t type, if you want to store post‐
396       gresql files in the /etc directories.
397
398
399       Paths:
400            /etc/postgresql(/.*)?, /etc/sysconfig/pgsql(/.*)?
401
402
403       postgresql_exec_t
404
405       - Set files with the postgresql_exec_t type, if you want to  transition
406       an executable to the postgresql_t domain.
407
408
409       Paths:
410            /usr/lib(64)?/postgresql/bin/.*,
411            /usr/lib(64)?/pgsql/test/regress/pg_regress,   /usr/bin/(se)?post‐
412            gres, /usr/bin/initdb(.sepgsql)?
413
414
415       postgresql_initrc_exec_t
416
417       -  Set  files  with  the  postgresql_initrc_exec_t type, if you want to
418       transition an executable to the postgresql_initrc_t domain.
419
420
421
422       postgresql_lock_t
423
424       - Set files with the postgresql_lock_t type, if you want to  treat  the
425       files as postgresql lock data, stored under the /var/lock directory
426
427
428
429       postgresql_log_t
430
431       -  Set  files  with the postgresql_log_t type, if you want to treat the
432       data as postgresql log data, usually stored under the  /var/log  direc‐
433       tory.
434
435
436       Paths:
437            /var/log/rhdb/rhdb(/.*)?,               /var/log/postgresql(/.*)?,
438            /var/log/postgres.log.*,             /var/lib/pgsql/logfile(/.*)?,
439            /var/log/sepostgresql.log.*,       /var/lib/pgsql/pgstartup.log.*,
440            /var/lib/sepgsql/pgstartup.log.*
441
442
443       postgresql_tmp_t
444
445       - Set files with the postgresql_tmp_t type, if you want to store  post‐
446       gresql temporary files in the /tmp directories.
447
448
449
450       postgresql_var_run_t
451
452       -  Set  files  with the postgresql_var_run_t type, if you want to store
453       the postgresql files under the /run or /var/run directory.
454
455
456
457       Note: File context can be temporarily modified with the chcon  command.
458       If  you want to permanently change the file context you need to use the
459       semanage fcontext command.  This will modify the SELinux labeling data‐
460       base.  You will need to use restorecon to apply the labels.
461
462

COMMANDS

464       semanage  fcontext  can also be used to manipulate default file context
465       mappings.
466
467       semanage permissive can also be used to manipulate  whether  or  not  a
468       process type is permissive.
469
470       semanage  module can also be used to enable/disable/install/remove pol‐
471       icy modules.
472
473       semanage port can also be used to manipulate the port definitions
474
475       semanage boolean can also be used to manipulate the booleans
476
477
478       system-config-selinux is a GUI tool available to customize SELinux pol‐
479       icy settings.
480
481

AUTHOR

483       This manual page was auto-generated using sepolicy manpage .
484
485

SEE ALSO

487       selinux(8),  postgresql(8), semanage(8), restorecon(8), chcon(1) , set‐
488       sebool(8)
489
490
491
492postgresql                         15-06-03              postgresql_selinux(8)
Impressum