SELinux question

Zoltan Boszormenyi zboszor at freemail.hu
Sun May 28 18:33:46 UTC 2006 

Paul Howarth írta:
> On Sun, 2006-05-28 at 17:13 +0200, Zoltan Boszormenyi wrote:
>   
>> Hi,
>>
>> answering to myself. :-)
>>
>> Zoltan Boszormenyi írta:
>>     
>>> So, how can I fix the current situation and include /home1/pgsql in
>>> the postgresql context/domain? I would like to relabel it to recover 
>>> the context...
>>>
>>> BTW the same principle would apply if one would like to create
>>> another tablespace for postgresql under another mount point...
>>>       
>> After some more RTFM, it would seem simple:
>>
>> semanage fcontext -a -t postgresql_db_t '/home1/pgsql/data(/.*)?'
>> semanage fcontext -a -t postgresql_log_t '/home1/pgsql/pgstartup.log'
>> fixfiles relabel /home1/pgsql
>>
>> But it was not enough. Starting it with "service postgresql start" fails.
>> I had to modify the rc script, too. I had to replace /var/lib/pgsql with
>> /home1/pgsql everywhere despite the /var/lib/pgsql -> /home1/pgsql symlink.
>>     
>
> This will be failing because SELinux is blocking access to reading the
> symlink. You should find an avc denial for the lnk_file in your logs.
>   

I haven't found any. :-(
Can this difference below cause the problem?

[root at localhost log]# ls -d --scontext /var/lib/pgsql
user_u:object_r:var_lib_t        /var/lib/pgsql -> /home1/pgsql
[root at localhost log]# ls -d --scontext /var/lib/pgsql/
system_u:object_r:default_t      /var/lib/pgsql/

Adding /home1/pgsql with var_lib_t context didn't make any difference, 
though.

>> But this is enough for adding another tablespace under e.g. /home1/pgsql2:
>>
>> mkdir -p /home1/pgsql2/data
>> chown -R postgres.postgres /home1/pgsql2
>> semanage fcontext -a -t postgresql_db_t '/home1/pgsql2/data(/.*)?'
>> fixfiles relabel /home1/pgsql2
>>     
>
> An easier way is to bind mount /home/pgsql on /var/lib/pgsql etc. and do
> a restorecon -R on the "new" /var/lib/pgsql. That achieves the same
> effect without the symlink.
>   

I know, but the disk I install will be (or already is) used for both my 
databases
and for extending /home. I created only one partition on that disk, so...
The system is my home/devel machine and the disk is SATA and fast enough.
Although for a high performance production machine, I would always give
PostgreSQL it's own disks to separate WAL, table and index spaces.

Best regards,
Zoltán Böszörményi

More information about the fedora-list mailing list