1postgresql_selinux(8) SELinux Policy postgresql postgresql_selinux(8)
2
6 postgresql_selinux - Security Enhanced Linux Policy for the postgresql
7 processes
8
10 Security-Enhanced Linux secures the postgresql processes via flexible
11 mandatory access control.
12 The postgresql processes execute with the postgresql_t SELinux type.
14 You can check if you have these processes running by executing the ps
15 command with the -Z qualifier.
16 For example:
18 ps -eZ | grep postgresql_t
20
24 The postgresql_t SELinux type can be entered via the postgresql_exec_t
25 file type.
26 The default entrypoint paths for the postgresql_t domain are the fol‐
28 lowing:
29 /usr/bin/(se)?postgres, /usr/bin/initdb(.sepgsql)?, /usr/lib/post‐
31 gresql/bin/.*, /usr/bin/pg_ctl, /usr/libexec/postgresql-ctl,
32 /usr/bin/postgresql-check-db-dir,
33 /usr/lib/pgsql/test/regress/pg_regress
34
36 SELinux defines process types (domains) for each process running on the
37 system
38 You can see the context of a process using the -Z option to ps
40 Policy governs the access confined processes have to files. SELinux
42 postgresql policy is very flexible allowing users to setup their post‐
43 gresql processes in as secure a method as possible.
44 The following process types are defined for postgresql:
46 postgresql_t
48 Note: semanage permissive -a postgresql_t can be used to make the
50 process type postgresql_t permissive. SELinux does not deny access to
51 permissive process types, but the AVC (SELinux denials) messages are
52 still generated.
53
56 SELinux policy is customizable based on least access required. post‐
57 gresql policy is extremely flexible and has several booleans that allow
58 you to manipulate the policy and run postgresql with the tightest
59 access possible.
60 If you want to allow postgresql to use ssh and rsync for point-in-time
64 recovery, you must turn on the postgresql_can_rsync boolean. Disabled
65 by default.
66 setsebool -P postgresql_can_rsync 1
68 If you want to allow transmit client label to foreign database, you
72 must turn on the postgresql_selinux_transmit_client_label boolean. Dis‐
73 abled by default.
74 setsebool -P postgresql_selinux_transmit_client_label 1
76 If you want to allow users to resolve user passwd entries directly from
80 ldap rather then using a sssd server, you must turn on the authlo‐
81 gin_nsswitch_use_ldap boolean. Disabled by default.
82 setsebool -P authlogin_nsswitch_use_ldap 1
84 If you want to allow all daemons to write corefiles to /, you must turn
88 on the daemons_dump_core boolean. Disabled by default.
89 setsebool -P daemons_dump_core 1
91 If you want to enable cluster mode for daemons, you must turn on the
95 daemons_enable_cluster_mode boolean. Enabled by default.
96 setsebool -P daemons_enable_cluster_mode 1
98 If you want to allow all daemons to use tcp wrappers, you must turn on
102 the daemons_use_tcp_wrapper boolean. Disabled by default.
103 setsebool -P daemons_use_tcp_wrapper 1
105 If you want to allow all daemons the ability to read/write terminals,
109 you must turn on the daemons_use_tty boolean. Disabled by default.
110 setsebool -P daemons_use_tty 1
112 If you want to deny user domains applications to map a memory region as
116 both executable and writable, this is dangerous and the executable
117 should be reported in bugzilla, you must turn on the deny_execmem bool‐
118 ean. Enabled by default.
119 setsebool -P deny_execmem 1
121 If you want to deny any process from ptracing or debugging any other
125 processes, you must turn on the deny_ptrace boolean. Enabled by
126 default.
127 setsebool -P deny_ptrace 1
129 If you want to allow any process to mmap any file on system with
133 attribute file_type, you must turn on the domain_can_mmap_files bool‐
134 ean. Enabled by default.
135 setsebool -P domain_can_mmap_files 1
137 If you want to allow all domains write to kmsg_device, while kernel is
141 executed with systemd.log_target=kmsg parameter, you must turn on the
142 domain_can_write_kmsg boolean. Disabled by default.
143 setsebool -P domain_can_write_kmsg 1
145 If you want to allow all domains to use other domains file descriptors,
149 you must turn on the domain_fd_use boolean. Enabled by default.
150 setsebool -P domain_fd_use 1
152 If you want to allow all domains to have the kernel load modules, you
156 must turn on the domain_kernel_load_modules boolean. Disabled by
157 default.
158 setsebool -P domain_kernel_load_modules 1
160 If you want to determine whether exim can connect to databases, you
164 must turn on the exim_can_connect_db boolean. Disabled by default.
165 setsebool -P exim_can_connect_db 1
167 If you want to allow all domains to execute in fips_mode, you must turn
171 on the fips_mode boolean. Enabled by default.
172 setsebool -P fips_mode 1
174 If you want to determine whether ftpd can connect to databases over the
178 TCP network, you must turn on the ftpd_connect_db boolean. Disabled by
179 default.
180 setsebool -P ftpd_connect_db 1
182 If you want to enable reading of urandom for all domains, you must turn
186 on the global_ssp boolean. Disabled by default.
187 setsebool -P global_ssp 1
189 If you want to allow HTTPD scripts and modules to connect to databases
193 over the network, you must turn on the httpd_can_network_connect_db
194 boolean. Disabled by default.
195 setsebool -P httpd_can_network_connect_db 1
197 If you want to allow confined applications to run with kerberos, you
201 must turn on the kerberos_enabled boolean. Enabled by default.
202 setsebool -P kerberos_enabled 1
204 If you want to allow system to run with NIS, you must turn on the
208 nis_enabled boolean. Disabled by default.
209 setsebool -P nis_enabled 1
211 If you want to allow confined applications to use nscd shared memory,
215 you must turn on the nscd_use_shm boolean. Disabled by default.
216 setsebool -P nscd_use_shm 1
218 If you want to allow users to connect to PostgreSQL, you must turn on
222 the selinuxuser_postgresql_connect_enabled boolean. Disabled by
223 default.
224 setsebool -P selinuxuser_postgresql_connect_enabled 1
226
230 SELinux defines port types to represent TCP and UDP ports.
231 You can see the types associated with a port by using the following
233 command:
234 semanage port -l
236 Policy governs the access confined processes have to these ports.
239 SELinux postgresql policy is very flexible allowing users to setup
240 their postgresql processes in as secure a method as possible.
241 The following port types are defined for postgresql:
243 postgresql_port_t
246 Default Defined Ports:
250 tcp 5432,9898
251
253 The SELinux process type postgresql_t can manage files labeled with the
254 following file types. The paths listed are the default paths for these
255 file types. Note the processes UID still need to have DAC permissions.
256 cluster_conf_t
258 /etc/cluster(/.*)?
260 cluster_var_lib_t
262 /var/lib/pcsd(/.*)?
264 /var/lib/cluster(/.*)?
265 /var/lib/openais(/.*)?
266 /var/lib/pengine(/.*)?
267 /var/lib/corosync(/.*)?
268 /usr/lib/heartbeat(/.*)?
269 /var/lib/heartbeat(/.*)?
270 /var/lib/pacemaker(/.*)?
271 cluster_var_run_t
273 /var/run/crm(/.*)?
275 /var/run/cman_.*
276 /var/run/rsctmp(/.*)?
277 /var/run/aisexec.*
278 /var/run/heartbeat(/.*)?
279 /var/run/corosync-qnetd(/.*)?
280 /var/run/corosync-qdevice(/.*)?
281 /var/run/cpglockd.pid
282 /var/run/corosync.pid
283 /var/run/rgmanager.pid
284 /var/run/cluster/rgmanager.sk
285 faillog_t
287 /var/log/btmp.*
289 /var/log/faillog.*
290 /var/log/tallylog.*
291 /var/run/faillock(/.*)?
292 hugetlbfs_t
294 /dev/hugepages
296 /usr/lib/udev/devices/hugepages
297 krb5_host_rcache_t
299 /var/cache/krb5rcache(/.*)?
301 /var/tmp/nfs_0
302 /var/tmp/DNS_25
303 /var/tmp/host_0
304 /var/tmp/imap_0
305 /var/tmp/HTTP_23
306 /var/tmp/HTTP_48
307 /var/tmp/ldap_55
308 /var/tmp/ldap_487
309 /var/tmp/ldapmap1_0
310 lastlog_t
312 /var/log/lastlog.*
314 postgresql_db_t
316 /var/lib/pgsql(/.*)?
318 /var/lib/sepgsql(/.*)?
319 /var/lib/postgres(ql)?(/.*)?
320 /usr/share/jonas/pgsql(/.*)?
321 /usr/lib/pgsql/test/regress(/.*)?
322 postgresql_lock_t
324 postgresql_log_t
327 /var/lib/pgsql/.*.log
329 /var/log/rhdb/rhdb(/.*)?
330 /var/log/postgresql(/.*)?
331 /var/log/postgres.log.*
332 /var/lib/pgsql/logfile(/.*)?
333 /var/log/sepostgresql.log.*
334 /var/lib/pgsql/data/pg_log(/.*)?
335 /var/lib/sepgsql/pgstartup.log
336 postgresql_tmp_t
338 postgresql_var_run_t
341 /var/run/postgresql(/.*)?
343 root_t
345 /sysroot/ostree/deploy/.*-atomic.*/deploy(/.*)?
347 /
348 /initrd
349 security_t
351 /selinux
353
356 SELinux requires files to have an extended attribute to define the file
357 type.
358 You can see the context of a file using the -Z option to ls
360 Policy governs the access confined processes have to these files.
362 SELinux postgresql policy is very flexible allowing users to setup
363 their postgresql processes in as secure a method as possible.
364 EQUIVALENCE DIRECTORIES
366 postgresql policy stores data with multiple different file context
369 types under the /var/lib/sepgsql directory. If you would like to store
370 the data in a different directory you can use the semanage command to
371 create an equivalence mapping. If you wanted to store this data under
372 the /srv dirctory you would execute the following command:
373 semanage fcontext -a -e /var/lib/sepgsql /srv/sepgsql
375 restorecon -R -v /srv/sepgsql
376 postgresql policy stores data with multiple different file context
378 types under the /var/lib/pgsql directory. If you would like to store
379 the data in a different directory you can use the semanage command to
380 create an equivalence mapping. If you wanted to store this data under
381 the /srv dirctory you would execute the following command:
382 semanage fcontext -a -e /var/lib/pgsql /srv/pgsql
384 restorecon -R -v /srv/pgsql
385 STANDARD FILE CONTEXT
387 SELinux defines the file context types for the postgresql, if you
389 wanted to store files with these types in a diffent paths, you need to
390 execute the semanage command to sepecify alternate labeling and then
391 use restorecon to put the labels on disk.
392 semanage fcontext -a -t postgresql_var_run_t '/srv/mypostgresql_con‐
394 tent(/.*)?'
395 restorecon -R -v /srv/mypostgresql_content
396 Note: SELinux often uses regular expressions to specify labels that
398 match multiple files.
399 The following file types are defined for postgresql:
401 postgresql_db_t
405 - Set files with the postgresql_db_t type, if you want to treat the
407 files as postgresql database content.
408 Paths:
411 /var/lib/pgsql(/.*)?, /var/lib/sepgsql(/.*)?, /var/lib/post‐
412 gres(ql)?(/.*)?, /usr/share/jonas/pgsql(/.*)?,
413 /usr/lib/pgsql/test/regress(/.*)?
414 postgresql_etc_t
417 - Set files with the postgresql_etc_t type, if you want to store post‐
419 gresql files in the /etc directories.
420 Paths:
423 /etc/postgresql(/.*)?, /etc/sysconfig/pgsql(/.*)?
424 postgresql_exec_t
427 - Set files with the postgresql_exec_t type, if you want to transition
429 an executable to the postgresql_t domain.
430 Paths:
433 /usr/bin/(se)?postgres, /usr/bin/initdb(.sepgsql)?, /usr/lib/post‐
434 gresql/bin/.*, /usr/bin/pg_ctl, /usr/libexec/postgresql-ctl,
435 /usr/bin/postgresql-check-db-dir,
436 /usr/lib/pgsql/test/regress/pg_regress
437 postgresql_initrc_exec_t
440 - Set files with the postgresql_initrc_exec_t type, if you want to
442 transition an executable to the postgresql_initrc_t domain.
443 postgresql_lock_t
447 - Set files with the postgresql_lock_t type, if you want to treat the
449 files as postgresql lock data, stored under the /var/lock directory
450 postgresql_log_t
454 - Set files with the postgresql_log_t type, if you want to treat the
456 data as postgresql log data, usually stored under the /var/log direc‐
457 tory.
458 Paths:
461 /var/lib/pgsql/.*.log, /var/log/rhdb/rhdb(/.*)?, /var/log/post‐
462 gresql(/.*)?, /var/log/postgres.log.*, /var/lib/pgsql/log‐
463 file(/.*)?, /var/log/sepostgresql.log.*,
464 /var/lib/pgsql/data/pg_log(/.*)?, /var/lib/sepgsql/pgstartup.log
465 postgresql_tmp_t
468 - Set files with the postgresql_tmp_t type, if you want to store post‐
470 gresql temporary files in the /tmp directories.
471 postgresql_var_run_t
475 - Set files with the postgresql_var_run_t type, if you want to store
477 the postgresql files under the /run or /var/run directory.
478 Note: File context can be temporarily modified with the chcon command.
482 If you want to permanently change the file context you need to use the
483 semanage fcontext command. This will modify the SELinux labeling data‐
484 base. You will need to use restorecon to apply the labels.
485
488 semanage fcontext can also be used to manipulate default file context
489 mappings.
490 semanage permissive can also be used to manipulate whether or not a
492 process type is permissive.
493 semanage module can also be used to enable/disable/install/remove pol‐
495 icy modules.
496 semanage port can also be used to manipulate the port definitions
498 semanage boolean can also be used to manipulate the booleans
500 system-config-selinux is a GUI tool available to customize SELinux pol‐
503 icy settings.
504
507 This manual page was auto-generated using sepolicy manpage .
508
511 selinux(8), postgresql(8), semanage(8), restorecon(8), chcon(1), sepol‐
512 icy(8) , setsebool(8)
513postgresql 19-04-25 postgresql_selinux(8)