Need help with moving the data directory of Postgresql

Daniel J Walsh dwalsh at redhat.com
Tue Feb 14 17:50:47 UTC 2006 

Markus Lindholm wrote:
> Hi
>
> Used the 'mount --bind', worked well for me. Thanks.
>
> But I was wondering why it is not possible to configure Selinux to 
> have the Postgresql data directory under /mnt?
>
> /markus
>
> On 2/10/06, *Paul Howarth* <paul at city-fan.org 
> <mailto:paul at city-fan.org>> wrote:
>
>     On Thu, 2006-02-09 at 20:10 +0100, Markus Lindholm wrote:
>     > Hi
>     >
>     > I have a FC4 box (all updates applied) on which I have a Postgresql
>     > server (standard fedora rpms) and I'm running targeted selinux
>     policy.
>     > The problem is that I cannot move the data directory away
>     > from /var/lib/pgsql/data with out turning selinux off.
>     >
>     > Is there any HOWTOs out there that would be helpful?
>     >
>     > I've tried using chcon so that the permission would be identical
>     > between the new and the old
>     >
>     > [root at zeus ~]# ls -ldZ /var/lib/pgsql/data/
>     > drwx------  postgres postgres
>     > system_u:object_r:postgresql_db_t /var/lib/pgsql/data/
>     > [root at zeus ~]# ls -lZd /mnt/raid/db/pgsql/data/
>     > drwx------  postgres postgres
>     > system_u:object_r:postgresql_db_t /mnt/raid/db/pgsql/data/
>     >
>     > But I still get permission denied when I try to start postgresql
>     !! If
>     > I mark the "Disable SELinux protection for Postgresql daemon" in
>     the
>     > SELinux GUI, then it starts up fine.
>     > But what would be the correct way to handle this?
>
>     Why are you moving the data directory in the first place?
>
>     If it's for space reasons, an alternative approach might be simply to
>     mount your target partition on /var/lib/pgsql/data; if you're not
>     using
>     an entire partition, you could use a bind mount:
>
>     # mount --bind /mnt/raid/db/pgsql/data /var/lib/pgsql/data
>
You could, but then other applications that are allowed to search mnt_t 
would be able to also, and a corrupted postgres could attack things on /mnt.

The idea is to isolate applications based on least privs so storing 
data/files in places like /tmp or /mnt is not usually a good idea for a 
confined application.
>
>     Paul.
>
>     --
>     fedora-selinux-list mailing list
>     fedora-selinux-list at redhat.com <mailto:fedora-selinux-list at redhat.com>
>     https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

More information about the fedora-selinux-list mailing list