1postgresql_selinux(8) SELinux Policy postgresql postgresql_selinux(8)
2
3
4
6 postgresql_selinux - Security Enhanced Linux Policy for the postgresql
7 processes
8
10 Security-Enhanced Linux secures the postgresql processes via flexible
11 mandatory access control.
12
13 The postgresql processes execute with the postgresql_t SELinux type.
14 You can check if you have these processes running by executing the ps
15 command with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep postgresql_t
20
21
22
24 The postgresql_t SELinux type can be entered via the postgresql_exec_t
25 file type.
26
27 The default entrypoint paths for the postgresql_t domain are the fol‐
28 lowing:
29
30 /usr/bin/(se)?postgres, /usr/bin/initdb(.sepgsql)?, /usr/lib/post‐
31 gresql/bin/.*, /usr/bin/pg_ctl, /usr/libexec/postgresql-ctl,
32 /usr/bin/postgresql-check-db-dir,
33 /usr/lib/pgsql/test/regress/pg_regress
34
36 SELinux defines process types (domains) for each process running on the
37 system
38
39 You can see the context of a process using the -Z option to ps
40
41 Policy governs the access confined processes have to files. SELinux
42 postgresql policy is very flexible allowing users to setup their post‐
43 gresql processes in as secure a method as possible.
44
45 The following process types are defined for postgresql:
46
47 postgresql_t
48
49 Note: semanage permissive -a postgresql_t can be used to make the
50 process type postgresql_t permissive. SELinux does not deny access to
51 permissive process types, but the AVC (SELinux denials) messages are
52 still generated.
53
54
56 SELinux policy is customizable based on least access required. post‐
57 gresql policy is extremely flexible and has several booleans that allow
58 you to manipulate the policy and run postgresql with the tightest
59 access possible.
60
61
62
63 If you want to allow postgresql to use ssh and rsync for point-in-time
64 recovery, you must turn on the postgresql_can_rsync boolean. Disabled
65 by default.
66
67 setsebool -P postgresql_can_rsync 1
68
69
70
71 If you want to allow transmit client label to foreign database, you
72 must turn on the postgresql_selinux_transmit_client_label boolean. Dis‐
73 abled by default.
74
75 setsebool -P postgresql_selinux_transmit_client_label 1
76
77
78
79 If you want to allow users to resolve user passwd entries directly from
80 ldap rather then using a sssd server, you must turn on the authlo‐
81 gin_nsswitch_use_ldap boolean. Disabled by default.
82
83 setsebool -P authlogin_nsswitch_use_ldap 1
84
85
86
87 If you want to deny user domains applications to map a memory region as
88 both executable and writable, this is dangerous and the executable
89 should be reported in bugzilla, you must turn on the deny_execmem bool‐
90 ean. Enabled by default.
91
92 setsebool -P deny_execmem 1
93
94
95
96 If you want to determine whether exim can connect to databases, you
97 must turn on the exim_can_connect_db boolean. Disabled by default.
98
99 setsebool -P exim_can_connect_db 1
100
101
102
103 If you want to allow all domains to execute in fips_mode, you must turn
104 on the fips_mode boolean. Enabled by default.
105
106 setsebool -P fips_mode 1
107
108
109
110 If you want to determine whether ftpd can connect to databases over the
111 TCP network, you must turn on the ftpd_connect_db boolean. Disabled by
112 default.
113
114 setsebool -P ftpd_connect_db 1
115
116
117
118 If you want to allow HTTPD scripts and modules to connect to databases
119 over the network, you must turn on the httpd_can_network_connect_db
120 boolean. Disabled by default.
121
122 setsebool -P httpd_can_network_connect_db 1
123
124
125
126 If you want to allow confined applications to run with kerberos, you
127 must turn on the kerberos_enabled boolean. Enabled by default.
128
129 setsebool -P kerberos_enabled 1
130
131
132
133 If you want to allow system to run with NIS, you must turn on the
134 nis_enabled boolean. Disabled by default.
135
136 setsebool -P nis_enabled 1
137
138
139
140 If you want to allow confined applications to use nscd shared memory,
141 you must turn on the nscd_use_shm boolean. Enabled by default.
142
143 setsebool -P nscd_use_shm 1
144
145
146
147 If you want to allow PowerDNS to connect to databases over the network,
148 you must turn on the pdns_can_network_connect_db boolean. Disabled by
149 default.
150
151 setsebool -P pdns_can_network_connect_db 1
152
153
154
155 If you want to allow users to connect to PostgreSQL, you must turn on
156 the selinuxuser_postgresql_connect_enabled boolean. Disabled by
157 default.
158
159 setsebool -P selinuxuser_postgresql_connect_enabled 1
160
161
162
164 SELinux defines port types to represent TCP and UDP ports.
165
166 You can see the types associated with a port by using the following
167 command:
168
169 semanage port -l
170
171
172 Policy governs the access confined processes have to these ports.
173 SELinux postgresql policy is very flexible allowing users to setup
174 their postgresql processes in as secure a method as possible.
175
176 The following port types are defined for postgresql:
177
178
179 postgresql_port_t
180
181
182
183 Default Defined Ports:
184 tcp 5432,9898
185
187 The SELinux process type postgresql_t can manage files labeled with the
188 following file types. The paths listed are the default paths for these
189 file types. Note the processes UID still need to have DAC permissions.
190
191 cluster_conf_t
192
193 /etc/cluster(/.*)?
194
195 cluster_var_lib_t
196
197 /var/lib/pcsd(/.*)?
198 /var/lib/cluster(/.*)?
199 /var/lib/openais(/.*)?
200 /var/lib/pengine(/.*)?
201 /var/lib/corosync(/.*)?
202 /usr/lib/heartbeat(/.*)?
203 /var/lib/heartbeat(/.*)?
204 /var/lib/pacemaker(/.*)?
205
206 cluster_var_run_t
207
208 /var/run/crm(/.*)?
209 /var/run/cman_.*
210 /var/run/rsctmp(/.*)?
211 /var/run/aisexec.*
212 /var/run/heartbeat(/.*)?
213 /var/run/corosync-qnetd(/.*)?
214 /var/run/corosync-qdevice(/.*)?
215 /var/run/corosync.pid
216 /var/run/cpglockd.pid
217 /var/run/rgmanager.pid
218 /var/run/cluster/rgmanager.sk
219
220 faillog_t
221
222 /var/log/btmp.*
223 /var/log/faillog.*
224 /var/log/tallylog.*
225 /var/run/faillock(/.*)?
226
227 hugetlbfs_t
228
229 /dev/hugepages
230 /usr/lib/udev/devices/hugepages
231
232 krb5_host_rcache_t
233
234 /var/cache/krb5rcache(/.*)?
235 /var/tmp/nfs_0
236 /var/tmp/DNS_25
237 /var/tmp/host_0
238 /var/tmp/imap_0
239 /var/tmp/HTTP_23
240 /var/tmp/HTTP_48
241 /var/tmp/ldap_55
242 /var/tmp/ldap_487
243 /var/tmp/ldapmap1_0
244
245 lastlog_t
246
247 /var/log/lastlog.*
248
249 postgresql_db_t
250
251 /var/lib/pgsql(/.*)?
252 /var/lib/sepgsql(/.*)?
253 /var/lib/postgres(ql)?(/.*)?
254 /usr/share/jonas/pgsql(/.*)?
255 /usr/lib/pgsql/test/regress(/.*)?
256
257 postgresql_lock_t
258
259
260 postgresql_log_t
261
262 /var/lib/pgsql/.*.log
263 /var/log/rhdb/rhdb(/.*)?
264 /var/log/postgresql(/.*)?
265 /var/log/postgres.log.*
266 /var/lib/pgsql/logfile(/.*)?
267 /var/lib/pgsql/data/log(/.*)?
268 /var/log/sepostgresql.log.*
269 /var/lib/pgsql/data/pg_log(/.*)?
270 /var/lib/sepgsql/pgstartup.log
271
272 postgresql_tmp_t
273
274
275 postgresql_var_run_t
276
277 /var/run/postgresql(/.*)?
278
279 root_t
280
281 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
282 /
283 /initrd
284
285 security_t
286
287 /selinux
288
289
291 SELinux requires files to have an extended attribute to define the file
292 type.
293
294 You can see the context of a file using the -Z option to ls
295
296 Policy governs the access confined processes have to these files.
297 SELinux postgresql policy is very flexible allowing users to setup
298 their postgresql processes in as secure a method as possible.
299
300 EQUIVALENCE DIRECTORIES
301
302
303 postgresql policy stores data with multiple different file context
304 types under the /var/lib/pgsql directory. If you would like to store
305 the data in a different directory you can use the semanage command to
306 create an equivalence mapping. If you wanted to store this data under
307 the /srv dirctory you would execute the following command:
308
309 semanage fcontext -a -e /var/lib/pgsql /srv/pgsql
310 restorecon -R -v /srv/pgsql
311
312 postgresql policy stores data with multiple different file context
313 types under the /var/lib/sepgsql directory. If you would like to store
314 the data in a different directory you can use the semanage command to
315 create an equivalence mapping. If you wanted to store this data under
316 the /srv dirctory you would execute the following command:
317
318 semanage fcontext -a -e /var/lib/sepgsql /srv/sepgsql
319 restorecon -R -v /srv/sepgsql
320
321 STANDARD FILE CONTEXT
322
323 SELinux defines the file context types for the postgresql, if you
324 wanted to store files with these types in a diffent paths, you need to
325 execute the semanage command to sepecify alternate labeling and then
326 use restorecon to put the labels on disk.
327
328 semanage fcontext -a -t postgresql_var_run_t '/srv/mypostgresql_con‐
329 tent(/.*)?'
330 restorecon -R -v /srv/mypostgresql_content
331
332 Note: SELinux often uses regular expressions to specify labels that
333 match multiple files.
334
335 The following file types are defined for postgresql:
336
337
338
339 postgresql_db_t
340
341 - Set files with the postgresql_db_t type, if you want to treat the
342 files as postgresql database content.
343
344
345 Paths:
346 /var/lib/pgsql(/.*)?, /var/lib/sepgsql(/.*)?, /var/lib/post‐
347 gres(ql)?(/.*)?, /usr/share/jonas/pgsql(/.*)?,
348 /usr/lib/pgsql/test/regress(/.*)?
349
350
351 postgresql_etc_t
352
353 - Set files with the postgresql_etc_t type, if you want to store post‐
354 gresql files in the /etc directories.
355
356
357 Paths:
358 /etc/postgresql(/.*)?, /etc/sysconfig/pgsql(/.*)?
359
360
361 postgresql_exec_t
362
363 - Set files with the postgresql_exec_t type, if you want to transition
364 an executable to the postgresql_t domain.
365
366
367 Paths:
368 /usr/bin/(se)?postgres, /usr/bin/initdb(.sepgsql)?, /usr/lib/post‐
369 gresql/bin/.*, /usr/bin/pg_ctl, /usr/libexec/postgresql-ctl,
370 /usr/bin/postgresql-check-db-dir,
371 /usr/lib/pgsql/test/regress/pg_regress
372
373
374 postgresql_initrc_exec_t
375
376 - Set files with the postgresql_initrc_exec_t type, if you want to
377 transition an executable to the postgresql_initrc_t domain.
378
379
380
381 postgresql_lock_t
382
383 - Set files with the postgresql_lock_t type, if you want to treat the
384 files as postgresql lock data, stored under the /var/lock directory
385
386
387
388 postgresql_log_t
389
390 - Set files with the postgresql_log_t type, if you want to treat the
391 data as postgresql log data, usually stored under the /var/log direc‐
392 tory.
393
394
395 Paths:
396 /var/lib/pgsql/.*.log, /var/log/rhdb/rhdb(/.*)?, /var/log/post‐
397 gresql(/.*)?, /var/log/postgres.log.*, /var/lib/pgsql/log‐
398 file(/.*)?, /var/lib/pgsql/data/log(/.*)?, /var/log/sepost‐
399 gresql.log.*, /var/lib/pgsql/data/pg_log(/.*)?,
400 /var/lib/sepgsql/pgstartup.log
401
402
403 postgresql_tmp_t
404
405 - Set files with the postgresql_tmp_t type, if you want to store post‐
406 gresql temporary files in the /tmp directories.
407
408
409
410 postgresql_unit_file_t
411
412 - Set files with the postgresql_unit_file_t type, if you want to treat
413 the files as postgresql unit content.
414
415
416
417 postgresql_var_run_t
418
419 - Set files with the postgresql_var_run_t type, if you want to store
420 the postgresql files under the /run or /var/run directory.
421
422
423
424 Note: File context can be temporarily modified with the chcon command.
425 If you want to permanently change the file context you need to use the
426 semanage fcontext command. This will modify the SELinux labeling data‐
427 base. You will need to use restorecon to apply the labels.
428
429
431 semanage fcontext can also be used to manipulate default file context
432 mappings.
433
434 semanage permissive can also be used to manipulate whether or not a
435 process type is permissive.
436
437 semanage module can also be used to enable/disable/install/remove pol‐
438 icy modules.
439
440 semanage port can also be used to manipulate the port definitions
441
442 semanage boolean can also be used to manipulate the booleans
443
444
445 system-config-selinux is a GUI tool available to customize SELinux pol‐
446 icy settings.
447
448
450 This manual page was auto-generated using sepolicy manpage .
451
452
454 selinux(8), postgresql(8), semanage(8), restorecon(8), chcon(1), sepol‐
455 icy(8), setsebool(8)
456
457
458
459postgresql 19-10-08 postgresql_selinux(8)