Thread: Using an alternate PGDATA on RHEL4 with SELinux enabled
I just tried installing Postgres 8.1.4 (RPMs from postgresql.org web site) on a clean RHEL4 Update 2 machine that had SELinux enabled. When I created a /etc/sysconfig/pgsql/postgresql config file with PGDATA=/data/pgdata I was unable to get the start script (/etc/init.d/postgresql) to populate the data directory nor launch postgres (after I manually did an initdb on the directory) The file permissions were drwx------ 11 postgres postgres 4096 Jul 27 12:51 pgdata But the pgstartup.log was still reporting that initdb coudln't create write to /data/pgdata (Permission denied) When I manually copied and pasted the line that was in /etc/init.d/postgresql to the command line, it ran just fine (executing as root) runuser -l postgres -c "/usr/bin/initdb --pgdata='/data/pgdata' --auth='ident sameuser'" >> "/var/lib/pgsql/pgstartup.log" 2>&1 < /dev/null But there's some voodoo going on when this is executed inside of the start script ... I started monkeying around with cutting the start script down to the point where I finally got this error to appear (I believe it was removing the </dev/null redirect): Your default context is user_u:system_r:unconfined_t. Do you want to choose a different one? [n] If I just hit enter, the script would continue and successfully create the data directory and launch postgres To be perfectly clear: If I don't set a custom PGDATA in /etc/sysconfig/pgsql/postgresql, everything works fine ... the data directory is created in /var/lib/pgsql/data as expected ... it's only with the custom PGDATA .. Long story short, I have disabled SELinux on this box because this isn't the first time SELinux stuff has burned hours of my day and this is an internal box so I don't feel it's worth the battle right now ... but figured that maybe someone else out there might benefit from reading this ... -Dave
"David Esposito" <pgsql-general@esposito.newnetco.com> writes:
> I just tried installing Postgres 8.1.4 (RPMs from postgresql.org web site)
> on a clean RHEL4 Update 2 machine that had SELinux enabled.
> When I created a /etc/sysconfig/pgsql/postgresql config file with
> PGDATA=/data/pgdata
> I was unable to get the start script (/etc/init.d/postgresql) to populate
> the data directory nor launch postgres (after I manually did an initdb on
> the directory)
The default selinux policy prevents postgres from writing anywhere
except under /var/lib/pgsql. If you want a nondefault PGDATA location
then you have to tweak the policy.
regards, tom lane
> -----Original Message----- > From: Tom Lane [mailto:tgl@sss.pgh.pa.us] > > The default selinux policy prevents postgres from writing anywhere > except under /var/lib/pgsql. If you want a nondefault PGDATA location > then you have to tweak the policy. > It's not that simple ... if I su to postgres, I can initdb and launch postmaster in any directory I wish (as long as it has rwx for the postgres user) ... it's only if I try to do this from the init.d start script that the problem occurs ...
"David Esposito" <pgsql-general@esposito.newnetco.com> writes:
>> -----Original Message-----
>> From: Tom Lane [mailto:tgl@sss.pgh.pa.us]
>> The default selinux policy prevents postgres from writing anywhere
>> except under /var/lib/pgsql. If you want a nondefault PGDATA location
>> then you have to tweak the policy.
> It's not that simple ... if I su to postgres, I can initdb and launch
> postmaster in any directory I wish (as long as it has rwx for the postgres
> user) ... it's only if I try to do this from the init.d start script that
> the problem occurs ...
Yes, it is that simple. Processes launched from start scripts inherit
a different (much more restrictive) selinux context than ones launched
from interactive shells.
regards, tom lane