Data is the most critical asset of any company today. There are many recommendations to secure a PostgreSQL database, e.g. CIS Benchmark for PostgreSQL, but Linux provides already one which you should not avoid: Security-Enhanced Linux (SELinux). SELinux provides access control for files, processes and applications to grant access or deny it. This security architecture was developed by the United States National Security Agency (NSA) and later in the early 2000s made open source.
This article gives a short introduction to SELinux and how you might come into contact with it while installing PostgreSQL.
The first step is to verify that SELinux is active.
The output displays the SELinux status which in this case displays enabled. SELinux is active.
Additionally, the SELinux mode can be verified by running getenforce.
- Enforcing: SELinux with its policies and rules is active and explicitly allows or denies access.
- Permissive: SELinux with its policies and rules is active, but it does not enforce them, meaning nothing is denied.
- Disabled: No rules of the SELinux policies are applied and the system is not protected.
NOTE: It is not recommended to disable SELinux, because any change, e.g. installation of a package with all its directories and files are not labeled. Enforcing SELinux policies at a later point in time guarantees some problems. A better solution is setting SELinux topermissive
, because everything is still logged, but no access is denied. Evaluation of the logs will show all eventual shortcomings and is the base to solve any problems with enforced SELinux policies.
Check the status of the PostgreSQL service.
ls
command displays the labels of the default PGDATA content.postgresql_db_t
is visible for all directories and files. I will stop the PostgreSQL service again./usd/pgsql/data
.postgresql-16.service
requires a change: The PGDATA environment variable needs to be set to the new directory /usd/pgsql/data
. The recommended way is to create a new directory with a override.conf
-file containing the changes./usd/pgsql/data
is done by executing initdb
again.postgresql_db_t
. A manually executed step is required to set the correct labels with chcon
.ls
command from above displays the correct labels now.Dirk Aumüller
Dirk Aumueller arbeitet als Associate Partner für die Proventa AG. Sein technologischer Schwerpunkt liegt bei Datenbankarchitekturen mit PostgreSQL sowie Data Management Lösungen mit Pentaho. Zusätzlich zu seinen Datenbanktransformations-Projekteinsätzen ist er regelmäßig als PostgreSQL Trainer unterwegs und betreut Studenten bei ihren Abschlussarbeiten. Seine fachlichen Erfahrungen erstrecken sich über die Branchen Telco und Financial Services.