Skip to main content

SELinux Security Policy Adjustment

SELinux (Security-Enhanced Linux) is a Linux kernel security module that enforces mandatory access control policies, enhancing security by restricting user and process actions based on predefined rules. It adds an extra layer of protection by limiting the impact of vulnerabilities and attacks.

It is important to properly configure SELinux to ensure that the PostgreSYS Platform services work correctly.

Below are some steps to adjust SELinux security policies for PostgreSQL:

  1. Check SELinux status

    Terminal input
        sestatus

  2. Adjust SELinux policies to allow network connections for PostgreSQL

    Terminal input
        sudo setsebool -P <BOOLEAN> <VALOR>
    note

    Replace <BOOLEAN> with the name of the SELinux policy boolean to be configured (e.g., postgresql_can_network_connect) and <VALOR> with 1 (enable) or 0 (disable)

  3. Add security contexts to PostgreSQL directories

    • Generic command to add a security context (Replace <DIRETORIO> with the directory path and <CONTEXTO> with the desired context)

      Terminal input
          sudo semanage fcontext -a -t <CONTEXTO> "<DIRETORIO>"

    • Apply the security context

      Terminal input
          sudo restorecon -Rv <DIRETORIO>

  4. Configure SELinux to allow network connections and add security contexts to PostgreSQL directories

    • Allow network connections for PostgreSQL

      Terminal input
          sudo setsebool -P postgresql_can_network_connect 1

    • Add security context for PostgreSQL directories

      Terminal input
          DIRETORIOS=("/var/lib/pgsql" "/var/lib/pgsql/data")
          for DIR in "${DIRETORIOS[@]}"; do
              sudo semanage fcontext -a -t postgresql_db_t "${DIR}(/.*)?"
              sudo restorecon -Rv ${DIR}
          done