Using an alternate PGDATA on RHEL4 with SELinux enabled
I just tried installing Postgres 8.1.4 (RPMs from postgresql.org web site)
on a clean RHEL4 Update 2 machine that had SELinux enabled.
When I created a /etc/sysconfig/pgsql/postgresql config file with
PGDATA=/data/pgdata
I was unable to get the start script (/etc/init.d/postgresql) to populate
the data directory nor launch postgres (after I manually did an initdb on
the directory)
The file permissions were
drwx------ 11 postgres postgres 4096 Jul 27 12:51 pgdata
But the pgstartup.log was still reporting that initdb coudln't create write
to /data/pgdata (Permission denied)
When I manually copied and pasted the line that was in
/etc/init.d/postgresql to the command line, it ran just fine (executing as
root)
runuser -l postgres -c "/usr/bin/initdb --pgdata='/data/pgdata'
--auth='ident sameuser'" >> "/var/lib/pgsql/pgstartup.log" 2>&1 < /dev/null
But there's some voodoo going on when this is executed inside of the start
script ...
I started monkeying around with cutting the start script down to the point
where I finally got this error to appear (I believe it was removing the
</dev/null redirect):
Your default context is user_u:system_r:unconfined_t. Do you want to choose
a different one? [n]
If I just hit enter, the script would continue and successfully create the
data directory and launch postgres
To be perfectly clear: If I don't set a custom PGDATA in
/etc/sysconfig/pgsql/postgresql, everything works fine ... the data
directory is created in /var/lib/pgsql/data as expected ... it's only with
the custom PGDATA ..
Long story short, I have disabled SELinux on this box because this isn't the
first time SELinux stuff has burned hours of my day and this is an internal
box so I don't feel it's worth the battle right now ... but figured that
maybe someone else out there might benefit from reading this ...
-Dave
"David Esposito" <pgsql-general@esposito.newnetco.com> writes:
I just tried installing Postgres 8.1.4 (RPMs from postgresql.org web site)
on a clean RHEL4 Update 2 machine that had SELinux enabled.
When I created a /etc/sysconfig/pgsql/postgresql config file with
PGDATA=/data/pgdata
I was unable to get the start script (/etc/init.d/postgresql) to populate
the data directory nor launch postgres (after I manually did an initdb on
the directory)
The default selinux policy prevents postgres from writing anywhere
except under /var/lib/pgsql. If you want a nondefault PGDATA location
then you have to tweak the policy.
regards, tom lane
-----Original Message-----
From: Tom Lane [mailto:tgl@sss.pgh.pa.us]The default selinux policy prevents postgres from writing anywhere
except under /var/lib/pgsql. If you want a nondefault PGDATA location
then you have to tweak the policy.
It's not that simple ... if I su to postgres, I can initdb and launch
postmaster in any directory I wish (as long as it has rwx for the postgres
user) ... it's only if I try to do this from the init.d start script that
the problem occurs ...
"David Esposito" <pgsql-general@esposito.newnetco.com> writes:
-----Original Message-----
From: Tom Lane [mailto:tgl@sss.pgh.pa.us]
The default selinux policy prevents postgres from writing anywhere
except under /var/lib/pgsql. If you want a nondefault PGDATA location
then you have to tweak the policy.
It's not that simple ... if I su to postgres, I can initdb and launch
postmaster in any directory I wish (as long as it has rwx for the postgres
user) ... it's only if I try to do this from the init.d start script that
the problem occurs ...
Yes, it is that simple. Processes launched from start scripts inherit
a different (much more restrictive) selinux context than ones launched
from interactive shells.
regards, tom lane