Securing your PostgreSQL Database with SELinux: A Tutorial

Data is the most critical asset of any company today. There are many recommendations to secure a PostgreSQL database, e.g. CIS Benchmark for PostgreSQL, but Linux provides already one which you should not avoid: Security-Enhanced Linux (SELinux). SELinux provides access control for files, processes and applications to grant access or deny it. This security architecture was developed by the United States National Security Agency (NSA) and later in the early 2000s made open source.

This article gives a short introduction to SELinux and how you might come into contact with it while installing PostgreSQL.

The first step is to verify that SELinux is active.

Copy to Clipboard

The output displays the SELinux status which in this case displays enabled. SELinux is active.

Additionally, the SELinux mode can be verified by running getenforce.

Copy to Clipboard

The command returns the current status value which is either:

Enforcing: SELinux with its policies and rules is active and explicitly allows or denies access.
Permissive: SELinux with its policies and rules is active, but it does not enforce them, meaning nothing is denied.
Disabled: No rules of the SELinux policies are applied and the system is not protected.

SELinux policies are enforced and might be a obstacle for the future PostgreSQL cluster. By the way, Rockylinux has published a nice article to learn and understand SELinux.

NOTE: It is not recommended to disable SELinux, because any change, e.g. installation of a package with all its directories and files are not labeled. Enforcing SELinux policies at a later point in time guarantees some problems. A better solution is setting SELinux to permissive, because everything is still logged, but no access is denied. Evaluation of the logs will show all eventual shortcomings and is the base to solve any problems with enforced SELinux policies.

Let’s install the current major release of PostgreSQL with the command example from the official PostgreSQL website.

Copy to Clipboard

Check the status of the PostgreSQL service.

Copy to Clipboard

[vagrant@server0 ~]$ sudo systemctl status postgresql-16
● postgresql-16.service - PostgreSQL 16 database server
     Loaded: loaded (/usr/lib/systemd/system/postgresql-16.service; disabled; preset: disabled)
     Active: active (running) since Wed 2024-04-10 08:39:14 UTC; 6s ago
       Docs: https://www.postgresql.org/docs/16/static/
    Process: 68266 ExecStartPre=/usr/pgsql-16/bin/postgresql-16-check-db-dir ${PGDATA} (code=exited, status=0/SUCCESS)
   Main PID: 68271 (postgres)
      Tasks: 7 (limit: 23585)
     Memory: 17.3M
        CPU: 33ms
     CGroup: /system.slice/postgresql-16.service
             ├─68271 /usr/pgsql-16/bin/postgres -D /var/lib/pgsql/16/data/
             ├─68272 "postgres: logger "
             ├─68273 "postgres: checkpointer "
             ├─68274 "postgres: background writer "
             ├─68276 "postgres: walwriter "
             ├─68277 "postgres: autovacuum launcher "
             └─68278 "postgres: logical replication launcher "

Apr 10 08:39:14 server0 systemd[1]: Starting PostgreSQL 16 database server...
Apr 10 08:39:14 server0 postgres[68271]: 2024-04-10 08:39:14.079 UTC [68271] LOG:  redirecting log output to logging collector process
Apr 10 08:39:14 server0 postgres[68271]: 2024-04-10 08:39:14.079 UTC [68271] HINT:  Future log output will appear in directory "log".
Apr 10 08:39:14 server0 systemd[1]: Started PostgreSQL 16 database server.

The PostgreSQL service is up and running and we can use the database. SELinux was no obstacle. The reason is that the installation used defaults which are known to SELinux, e.g. correct labels are applied during the installation. A quick check with the ls command displays the labels of the default PGDATA content.

Copy to Clipboard

[vagrant@server0 ~]$ sudo ls -alZ /var/lib/pgsql/16/data/
total 68
drwx------. 20 postgres postgres system_u:object_r:postgresql_db_t:s0      4096 Apr 10 08:58 .
drwx------.  4 postgres postgres system_u:object_r:postgresql_db_t:s0        51 Apr 10 08:39 ..
drwx------.  5 postgres postgres unconfined_u:object_r:postgresql_db_t:s0    33 Apr 10 08:39 base
-rw-------.  1 postgres postgres system_u:object_r:postgresql_db_t:s0        30 Apr 10 08:39 current_logfiles
drwx------.  2 postgres postgres unconfined_u:object_r:postgresql_db_t:s0  4096 Apr 10 08:42 global
drwx------.  2 postgres postgres unconfined_u:object_r:postgresql_db_t:s0    32 Apr 10 08:39 log
drwx------.  2 postgres postgres unconfined_u:object_r:postgresql_db_t:s0     6 Apr 10 08:39 pg_commit_ts
drwx------.  2 postgres postgres unconfined_u:object_r:postgresql_db_t:s0     6 Apr 10 08:39 pg_dynshmem
-rw-------.  1 postgres postgres unconfined_u:object_r:postgresql_db_t:s0  5499 Apr 10 08:39 pg_hba.conf
-rw-------.  1 postgres postgres unconfined_u:object_r:postgresql_db_t:s0  2640 Apr 10 08:39 pg_ident.conf
drwx------.  4 postgres postgres unconfined_u:object_r:postgresql_db_t:s0    68 Apr 10 08:58 pg_logical
drwx------.  4 postgres postgres unconfined_u:object_r:postgresql_db_t:s0    36 Apr 10 08:39 pg_multixact
drwx------.  2 postgres postgres unconfined_u:object_r:postgresql_db_t:s0     6 Apr 10 08:39 pg_notify
drwx------.  2 postgres postgres unconfined_u:object_r:postgresql_db_t:s0     6 Apr 10 08:39 pg_replslot
drwx------.  2 postgres postgres unconfined_u:object_r:postgresql_db_t:s0     6 Apr 10 08:39 pg_serial
drwx------.  2 postgres postgres unconfined_u:object_r:postgresql_db_t:s0     6 Apr 10 08:39 pg_snapshots
drwx------.  2 postgres postgres unconfined_u:object_r:postgresql_db_t:s0    25 Apr 10 08:58 pg_stat
drwx------.  2 postgres postgres unconfined_u:object_r:postgresql_db_t:s0     6 Apr 10 08:39 pg_stat_tmp
drwx------.  2 postgres postgres unconfined_u:object_r:postgresql_db_t:s0    18 Apr 10 08:39 pg_subtrans
drwx------.  2 postgres postgres unconfined_u:object_r:postgresql_db_t:s0     6 Apr 10 08:39 pg_tblspc
drwx------.  2 postgres postgres unconfined_u:object_r:postgresql_db_t:s0     6 Apr 10 08:39 pg_twophase
-rw-------.  1 postgres postgres unconfined_u:object_r:postgresql_db_t:s0     3 Apr 10 08:39 PG_VERSION
drwx------.  3 postgres postgres unconfined_u:object_r:postgresql_db_t:s0    60 Apr 10 08:39 pg_wal
drwx------.  2 postgres postgres unconfined_u:object_r:postgresql_db_t:s0    18 Apr 10 08:39 pg_xact
-rw-------.  1 postgres postgres unconfined_u:object_r:postgresql_db_t:s0    88 Apr 10 08:39 postgresql.auto.conf
-rw-------.  1 postgres postgres unconfined_u:object_r:postgresql_db_t:s0 29671 Apr 10 08:39 postgresql.conf
-rw-------.  1 postgres postgres system_u:object_r:postgresql_db_t:s0        58 Apr 10 08:39 postmaster.opts

The label postgresql_db_t is visible for all directories and files. I will stop the PostgreSQL service again.

Copy to Clipboard

A common change in most real world scenarios is the custom location of the PGDATA directory. In this example the new location of the PGDATA directory is /usd/pgsql/data.

Copy to Clipboard

Second, the systemd service file postgresql-16.service requires a change: The PGDATA environment variable needs to be set to the new directory /usd/pgsql/data. The recommended way is to create a new directory with a override.conf-file containing the changes.

Copy to Clipboard

Next, systemd is made aware of the changes by reloading the daemon.

Copy to Clipboard

Initialization of the new PostgreSQL cluster in the custom location /usd/pgsql/data is done by executing initdb again.

Copy to Clipboard

Check the SELinux labels of PGDATA and its content.

Copy to Clipboard

[vagrant@server0 ~]$ sudo ls -alZ /usd/pgsql/data/
total 68
drwx------. 20 postgres postgres unconfined_u:object_r:default_t:s0  4096 Apr 10 09:27 .
drwxr-xr-x.  3 postgres postgres unconfined_u:object_r:default_t:s0    18 Apr 10 08:55 ..
drwx------.  5 postgres postgres unconfined_u:object_r:default_t:s0    33 Apr 10 09:19 base
-rw-------.  1 postgres postgres system_u:object_r:default_t:s0        30 Apr 10 09:23 current_logfiles
drwx------.  2 postgres postgres unconfined_u:object_r:default_t:s0  4096 Apr 10 09:26 global
drwx------.  2 postgres postgres unconfined_u:object_r:default_t:s0    32 Apr 10 09:23 log
drwx------.  2 postgres postgres unconfined_u:object_r:default_t:s0     6 Apr 10 09:19 pg_commit_ts
drwx------.  2 postgres postgres unconfined_u:object_r:default_t:s0     6 Apr 10 09:19 pg_dynshmem
-rw-------.  1 postgres postgres unconfined_u:object_r:default_t:s0  5499 Apr 10 09:19 pg_hba.conf
-rw-------.  1 postgres postgres unconfined_u:object_r:default_t:s0  2640 Apr 10 09:19 pg_ident.conf
drwx------.  4 postgres postgres unconfined_u:object_r:default_t:s0    68 Apr 10 09:27 pg_logical
drwx------.  4 postgres postgres unconfined_u:object_r:default_t:s0    36 Apr 10 09:19 pg_multixact
drwx------.  2 postgres postgres unconfined_u:object_r:default_t:s0     6 Apr 10 09:19 pg_notify
drwx------.  2 postgres postgres unconfined_u:object_r:default_t:s0     6 Apr 10 09:19 pg_replslot
drwx------.  2 postgres postgres unconfined_u:object_r:default_t:s0     6 Apr 10 09:19 pg_serial
drwx------.  2 postgres postgres unconfined_u:object_r:default_t:s0     6 Apr 10 09:19 pg_snapshots
drwx------.  2 postgres postgres unconfined_u:object_r:default_t:s0    25 Apr 10 09:27 pg_stat
drwx------.  2 postgres postgres unconfined_u:object_r:default_t:s0     6 Apr 10 09:19 pg_stat_tmp
drwx------.  2 postgres postgres unconfined_u:object_r:default_t:s0    18 Apr 10 09:19 pg_subtrans
drwx------.  2 postgres postgres unconfined_u:object_r:default_t:s0     6 Apr 10 09:19 pg_tblspc
drwx------.  2 postgres postgres unconfined_u:object_r:default_t:s0     6 Apr 10 09:19 pg_twophase
-rw-------.  1 postgres postgres unconfined_u:object_r:default_t:s0     3 Apr 10 09:19 PG_VERSION
drwx------.  3 postgres postgres unconfined_u:object_r:default_t:s0    60 Apr 10 09:19 pg_wal
drwx------.  2 postgres postgres unconfined_u:object_r:default_t:s0    18 Apr 10 09:19 pg_xact
-rw-------.  1 postgres postgres unconfined_u:object_r:default_t:s0    88 Apr 10 09:19 postgresql.auto.conf
-rw-------.  1 postgres postgres unconfined_u:object_r:default_t:s0 29671 Apr 10 09:19 postgresql.conf
-rw-------.  1 postgres postgres system_u:object_r:default_t:s0        50 Apr 10 09:23 postmaster.opts

It’s missing the correct labels: postgresql_db_t. A manually executed step is required to set the correct labels with chcon.

Copy to Clipboard

Repeating the ls command from above displays the correct labels now.

Copy to Clipboard

[vagrant@server0 ~]$ sudo ls -alZ /usd/pgsql/data/
total 68
drwx------. 20 postgres postgres unconfined_u:object_r:postgresql_db_t:s0  4096 Apr 10 09:27 .
drwxr-xr-x.  3 postgres postgres unconfined_u:object_r:default_t:s0          18 Apr 10 08:55 ..
drwx------.  5 postgres postgres unconfined_u:object_r:postgresql_db_t:s0    33 Apr 10 09:19 base
-rw-------.  1 postgres postgres system_u:object_r:postgresql_db_t:s0        30 Apr 10 09:23 current_logfiles
drwx------.  2 postgres postgres unconfined_u:object_r:postgresql_db_t:s0  4096 Apr 10 09:26 global
drwx------.  2 postgres postgres unconfined_u:object_r:postgresql_db_t:s0    32 Apr 10 09:23 log
drwx------.  2 postgres postgres unconfined_u:object_r:postgresql_db_t:s0     6 Apr 10 09:19 pg_commit_ts
drwx------.  2 postgres postgres unconfined_u:object_r:postgresql_db_t:s0     6 Apr 10 09:19 pg_dynshmem
-rw-------.  1 postgres postgres unconfined_u:object_r:postgresql_db_t:s0  5499 Apr 10 09:19 pg_hba.conf
-rw-------.  1 postgres postgres unconfined_u:object_r:postgresql_db_t:s0  2640 Apr 10 09:19 pg_ident.conf
drwx------.  4 postgres postgres unconfined_u:object_r:postgresql_db_t:s0    68 Apr 10 09:27 pg_logical
drwx------.  4 postgres postgres unconfined_u:object_r:postgresql_db_t:s0    36 Apr 10 09:19 pg_multixact
drwx------.  2 postgres postgres unconfined_u:object_r:postgresql_db_t:s0     6 Apr 10 09:19 pg_notify
drwx------.  2 postgres postgres unconfined_u:object_r:postgresql_db_t:s0     6 Apr 10 09:19 pg_replslot
drwx------.  2 postgres postgres unconfined_u:object_r:postgresql_db_t:s0     6 Apr 10 09:19 pg_serial
drwx------.  2 postgres postgres unconfined_u:object_r:postgresql_db_t:s0     6 Apr 10 09:19 pg_snapshots
drwx------.  2 postgres postgres unconfined_u:object_r:postgresql_db_t:s0    25 Apr 10 09:27 pg_stat
drwx------.  2 postgres postgres unconfined_u:object_r:postgresql_db_t:s0     6 Apr 10 09:19 pg_stat_tmp
drwx------.  2 postgres postgres unconfined_u:object_r:postgresql_db_t:s0    18 Apr 10 09:19 pg_subtrans
drwx------.  2 postgres postgres unconfined_u:object_r:postgresql_db_t:s0     6 Apr 10 09:19 pg_tblspc
drwx------.  2 postgres postgres unconfined_u:object_r:postgresql_db_t:s0     6 Apr 10 09:19 pg_twophase
-rw-------.  1 postgres postgres unconfined_u:object_r:postgresql_db_t:s0     3 Apr 10 09:19 PG_VERSION
drwx------.  3 postgres postgres unconfined_u:object_r:postgresql_db_t:s0    60 Apr 10 09:19 pg_wal
drwx------.  2 postgres postgres unconfined_u:object_r:postgresql_db_t:s0    18 Apr 10 09:19 pg_xact
-rw-------.  1 postgres postgres unconfined_u:object_r:postgresql_db_t:s0    88 Apr 10 09:19 postgresql.auto.conf
-rw-------.  1 postgres postgres unconfined_u:object_r:postgresql_db_t:s0 29671 Apr 10 09:19 postgresql.conf
-rw-------.  1 postgres postgres system_u:object_r:postgresql_db_t:s0        50 Apr 10 09:23 postmaster.opts

The new PostgreSQL cluster is ready to run.

Copy to Clipboard

[vagrant@server0 ~]$ sudo systemctl start postgresql-16
[vagrant@server0 ~]$ sudo systemctl status postgresql-16
● postgresql-16.service - PostgreSQL 16 database server
     Loaded: loaded (/usr/lib/systemd/system/postgresql-16.service; disabled; preset: disabled)
    Drop-In: /etc/systemd/system/postgresql-16.service.d
             └─override.conf
     Active: active (running) since Wed 2024-04-10 09:39:52 UTC; 4s ago
       Docs: https://www.postgresql.org/docs/16/static/
    Process: 69700 ExecStartPre=/usr/pgsql-16/bin/postgresql-16-check-db-dir ${PGDATA} (code=exited, status=0/SUCCESS)
   Main PID: 69705 (postgres)
      Tasks: 7 (limit: 23585)
     Memory: 17.3M
        CPU: 31ms
     CGroup: /system.slice/postgresql-16.service
             ├─69705 /usr/pgsql-16/bin/postgres -D /usd/pgsql/data
             ├─69706 "postgres: logger "
             ├─69707 "postgres: checkpointer "
             ├─69708 "postgres: background writer "
             ├─69710 "postgres: walwriter "
             ├─69711 "postgres: autovacuum launcher "
             └─69712 "postgres: logical replication launcher "

Apr 10 09:39:52 server0 systemd[1]: Starting PostgreSQL 16 database server...
Apr 10 09:39:52 server0 postgres[69705]: 2024-04-10 09:39:52.956 UTC [69705] LOG:  redirecting log output to logging collector process
Apr 10 09:39:52 server0 postgres[69705]: 2024-04-10 09:39:52.956 UTC [69705] HINT:  Future log output will appear in directory "log".
Apr 10 09:39:52 server0 systemd[1]: Started PostgreSQL 16 database server.

If you are running into any problems, do not forget to check the logfiles for any suspicious errors:

Copy to Clipboard

There are more options to configure SELinux for PostgreSQL, but this basic example provides a practical introduction for new users to have a quick start.

Dirk Aumüller

Dirk Aumueller arbeitet als Associate Partner für die Proventa AG. Sein technologischer Schwerpunkt liegt bei Datenbankarchitekturen mit PostgreSQL sowie Data Management Lösungen mit Pentaho. Zusätzlich zu seinen Datenbanktransformations-Projekteinsätzen ist er regelmäßig als PostgreSQL Trainer unterwegs und betreut Studenten bei ihren Abschlussarbeiten. Seine fachlichen Erfahrungen erstrecken sich über die Branchen Telco und Financial Services.

SELinux: A Mandatory Part of Running a Secure PostgreSQL Database

SELinux: A Mandatory Part of Running a Secure PostgreSQL Database

Dirk Aumüller