[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: SELinux question



Paul Howarth írta:
On Sun, 2006-05-28 at 17:13 +0200, Zoltan Boszormenyi wrote:
Hi,

answering to myself. :-)

Zoltan Boszormenyi írta:
So, how can I fix the current situation and include /home1/pgsql in
the postgresql context/domain? I would like to relabel it to recover the context...

BTW the same principle would apply if one would like to create
another tablespace for postgresql under another mount point...
After some more RTFM, it would seem simple:

semanage fcontext -a -t postgresql_db_t '/home1/pgsql/data(/.*)?'
semanage fcontext -a -t postgresql_log_t '/home1/pgsql/pgstartup.log'
fixfiles relabel /home1/pgsql

But it was not enough. Starting it with "service postgresql start" fails.
I had to modify the rc script, too. I had to replace /var/lib/pgsql with
/home1/pgsql everywhere despite the /var/lib/pgsql -> /home1/pgsql symlink.

This will be failing because SELinux is blocking access to reading the
symlink. You should find an avc denial for the lnk_file in your logs.

I haven't found any. :-(
Can this difference below cause the problem?

[root localhost log]# ls -d --scontext /var/lib/pgsql
user_u:object_r:var_lib_t        /var/lib/pgsql -> /home1/pgsql
[root localhost log]# ls -d --scontext /var/lib/pgsql/
system_u:object_r:default_t      /var/lib/pgsql/

Adding /home1/pgsql with var_lib_t context didn't make any difference, though.

But this is enough for adding another tablespace under e.g. /home1/pgsql2:

mkdir -p /home1/pgsql2/data
chown -R postgres.postgres /home1/pgsql2
semanage fcontext -a -t postgresql_db_t '/home1/pgsql2/data(/.*)?'
fixfiles relabel /home1/pgsql2

An easier way is to bind mount /home/pgsql on /var/lib/pgsql etc. and do
a restorecon -R on the "new" /var/lib/pgsql. That achieves the same
effect without the symlink.

I know, but the disk I install will be (or already is) used for both my databases
and for extending /home. I created only one partition on that disk, so...
The system is my home/devel machine and the disk is SATA and fast enough.
Although for a high performance production machine, I would always give
PostgreSQL it's own disks to separate WAL, table and index spaces.

Best regards,
Zoltán Böszörményi


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]