[colug-432] RHEL6 + Postgres + SELinux = Sadness

Joshua Kramer josh at globalherald.net
Sun Apr 25 03:00:18 EDT 2010

Hello Everyone,

I have a bit of a quandary here.  I am using the RHEL6 64 bit beta and the 
PG 8.4.2 that comes with the distro.  Under normal circumstances, 
everything works fine.  However, I'm playing with the XFS filesystem... so 
my /opt directory is another volume formatted as XFS.  Under /opt I have a 
pgdata directory.  I've chowned it to postgresql, and configured its 
SELinux label thusly:

chcon system_u:object_r:postgresql_db_t:s0 pgdata

The problem occurs with the system init scripts.  If I do this:

/usr/sbin/service postgres initdb

...it fails, until I configure SELinux for 'permissive'.  If I do the 
initdb, then re-activate SELinux and try to:

/usr/sbin/service postgres start

...again, it fails.  Under /var/lib/pgsql, the pgstartup.log file says 
that there is a 'permission denied' error trying to open 
/opt/pgdata/postgresql.conf.  Intersting.  If I run PG in this manner:

su -l postgres -c "/usr/bin/postmaster -p '5432' -D '/opt/pgdata'"

...everything works fine, I can connect and do selects, etc.

I imagine there is a problem in the domain transition between the init 
user and the postgresql user.  When I run those commands as root, the root 
user is in a different domain than init, so it runs OK.

What is interesting is that setroubleshootd does *not* give any failure 
messages as it did under similar circumstances in RHEL5.

Does anyone have experience with this - SELinux in the new RHEL6 beta?


More information about the colug-432 mailing list