Trouble starting postgresql

Thu Jun 1 11:37:57 UTC 2006

Alan M. Evans wrote:
> On Wed, 2006-05-31 at 10:19, Paul Howarth wrote:
>> It appears that there is no easy fix for this problem, other than moving 
>> the data somewhere other than under /home:
>>
>> http://www.redhat.com/archives/fedora-selinux-list/2006-May/msg00253.html
> 
> That's a pity. As I said before, /home is convenient for me since that
> partition is large and won't ever be formatted during future upgrades or
> installs. /home/pgsql seemed obvious to me since both the database and
> the home directories share these requirements.

Another possibility you might consider (particularly if you have /home 
on LVM) might be to shrink /home and use the released space for a 
separate /srv filesystem, which you could manage in the same way as 
/home, not formatting it during upgrades etc. Your database data could 
then be put under /srv/pgsql (where it arguably should be by default in 
the package) instead of /home/pgsql and there would be no issue with 
home directory contexts.

> In any case, in your reply to the message linked above, you say:
> 
>> If it was me I'd just bind mount /home/pgsql on /var/lib/pgsql
>> and there wouldn't be an issue...
> 
> And so I wonder: How does bind-mounting help me as regards default
> contexts?
> 
> If I place data in /home/pgsql and bind-mount /var/lib/pgsql, then what
> is the default context for pgsql? It depends on where restorecon was
> run. If "restorecon -R /home" then pgsql will be set to the wrong
> context; if "restorecon -R /var/lib" then it will be correct. And if,
> for some reason, the entire filesystem gets relabelled, how do I know
> which one it will get? I don't see what bind-mounting gains me anything
> over my current predicament.

You are right (and it illustrates an issue with path-based security). If 
the system was relabelled, it'd be pot luck whether the /home/pgsql or 
/var/lib/pgsql contexts were applied. The advantages of doing the bind 
mount are:

1. No tweaks to policy are needed because everything is where it's 
expected to be.
2. In the event of having to relabel the system and the contexts getting 
screwed up, all of the different contexts can be restored in one go with 
the single command "restorecon -Rv /var/lib/pgsql", as opposed to having 
to do different chcon commands for each different context that's needed.

> Finally, it's working for me now, thanks to you. I will leave it all as
> is and lurk the selinux list and quietly learn. Perhaps a better
> solution to the default context issue will be discovered or implemented.

I've not given up on this yet; see fedora-selinux-list.

Paul.