[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Need help with moving the data directory of Postgresql



Markus Lindholm wrote:
Hi

Used the 'mount --bind', worked well for me. Thanks.

But I was wondering why it is not possible to configure Selinux to have the Postgresql data directory under /mnt?

/markus

On 2/10/06, *Paul Howarth* <paul city-fan org <mailto:paul city-fan org>> wrote:

    On Thu, 2006-02-09 at 20:10 +0100, Markus Lindholm wrote:
    > Hi
    >
    > I have a FC4 box (all updates applied) on which I have a Postgresql
    > server (standard fedora rpms) and I'm running targeted selinux
    policy.
    > The problem is that I cannot move the data directory away
    > from /var/lib/pgsql/data with out turning selinux off.
    >
    > Is there any HOWTOs out there that would be helpful?
    >
    > I've tried using chcon so that the permission would be identical
    > between the new and the old
    >
    > [root zeus ~]# ls -ldZ /var/lib/pgsql/data/
    > drwx------  postgres postgres
    > system_u:object_r:postgresql_db_t /var/lib/pgsql/data/
    > [root zeus ~]# ls -lZd /mnt/raid/db/pgsql/data/
    > drwx------  postgres postgres
    > system_u:object_r:postgresql_db_t /mnt/raid/db/pgsql/data/
    >
    > But I still get permission denied when I try to start postgresql
    !! If
    > I mark the "Disable SELinux protection for Postgresql daemon" in
    the
    > SELinux GUI, then it starts up fine.
    > But what would be the correct way to handle this?

    Why are you moving the data directory in the first place?

    If it's for space reasons, an alternative approach might be simply to
    mount your target partition on /var/lib/pgsql/data; if you're not
    using
    an entire partition, you could use a bind mount:

    # mount --bind /mnt/raid/db/pgsql/data /var/lib/pgsql/data

You could, but then other applications that are allowed to search mnt_t would be able to also, and a corrupted postgres could attack things on /mnt.

The idea is to isolate applications based on least privs so storing data/files in places like /tmp or /mnt is not usually a good idea for a confined application.

    Paul.

    --
    fedora-selinux-list mailing list
    fedora-selinux-list redhat com <mailto:fedora-selinux-list redhat com>
    https://www.redhat.com/mailman/listinfo/fedora-selinux-list


------------------------------------------------------------------------

--
fedora-selinux-list mailing list
fedora-selinux-list redhat com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]