Need help with moving the data directory of Postgresql
Daniel J Walsh
dwalsh at redhat.com
Tue Feb 14 17:50:47 UTC 2006
Markus Lindholm wrote:
> Hi
>
> Used the 'mount --bind', worked well for me. Thanks.
>
> But I was wondering why it is not possible to configure Selinux to
> have the Postgresql data directory under /mnt?
>
> /markus
>
> On 2/10/06, *Paul Howarth* <paul at city-fan.org
> <mailto:paul at city-fan.org>> wrote:
>
> On Thu, 2006-02-09 at 20:10 +0100, Markus Lindholm wrote:
> > Hi
> >
> > I have a FC4 box (all updates applied) on which I have a Postgresql
> > server (standard fedora rpms) and I'm running targeted selinux
> policy.
> > The problem is that I cannot move the data directory away
> > from /var/lib/pgsql/data with out turning selinux off.
> >
> > Is there any HOWTOs out there that would be helpful?
> >
> > I've tried using chcon so that the permission would be identical
> > between the new and the old
> >
> > [root at zeus ~]# ls -ldZ /var/lib/pgsql/data/
> > drwx------ postgres postgres
> > system_u:object_r:postgresql_db_t /var/lib/pgsql/data/
> > [root at zeus ~]# ls -lZd /mnt/raid/db/pgsql/data/
> > drwx------ postgres postgres
> > system_u:object_r:postgresql_db_t /mnt/raid/db/pgsql/data/
> >
> > But I still get permission denied when I try to start postgresql
> !! If
> > I mark the "Disable SELinux protection for Postgresql daemon" in
> the
> > SELinux GUI, then it starts up fine.
> > But what would be the correct way to handle this?
>
> Why are you moving the data directory in the first place?
>
> If it's for space reasons, an alternative approach might be simply to
> mount your target partition on /var/lib/pgsql/data; if you're not
> using
> an entire partition, you could use a bind mount:
>
> # mount --bind /mnt/raid/db/pgsql/data /var/lib/pgsql/data
>
You could, but then other applications that are allowed to search mnt_t
would be able to also, and a corrupted postgres could attack things on /mnt.
The idea is to isolate applications based on least privs so storing
data/files in places like /tmp or /mnt is not usually a good idea for a
confined application.
>
> Paul.
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com <mailto:fedora-selinux-list at redhat.com>
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
More information about the fedora-selinux-list
mailing list