21.4. Configuration Examples

download PDF

21.4.1. PostgreSQL Changing Database Location

When using Red Hat Enterprise Linux, the default location for PostgreSQL to store its database is /var/lib/pgsql/data/. This is where SELinux expects it to be by default, and hence this area is already labeled appropriately for you, using the postgresql_db_t type.
The area where the database is located can be changed depending on individual environment requirements or preferences, however it is important that SELinux is aware of this new location; that it is labeled accordingly. This example explains how to change the location of a PostgreSQL database and then how to label the new location so that SELinux can still provide its protection mechanisms to the new area based on its contents.
Note that this is an example only and demonstrates how SELinux can affect PostgreSQL. Comprehensive documentation of PostgreSQL is beyond the scope of this document. See the official PostgreSQL documentation for further details. This example assumes that the postgresql-server package is installed.
  1. View the SELinux context of the default database location for postgresql:
    ~]# ls -lZ /var/lib/pgsql
    drwx------. postgres postgres system_u:object_r:postgresql_db_t:s0 data
    This shows postgresql_db_t which is the default context element for the location of database files. This context will have to be manually applied to the new database location that will be used in this example in order for it to function properly.
  2. Create a new directory for the new location of the database(s). In this example, /opt/postgresql/data/ is used. If you use a different location, replace the text in the following steps with your location:
    ~]# mkdir -p /opt/postgresql/data
  3. Perform a directory listing of the new location. Note that the initial context of the new directory is usr_t. This context is not sufficient for SELinux to offer its protection mechanisms to PostgreSQL. Once the context has been changed, it will be able to function properly in the new area.
    ~]# ls -lZ /opt/postgresql/
    drwxr-xr-x. root root unconfined_u:object_r:usr_t:s0   data
  4. Change the ownership of the new location to allow access by the postgres user and group. This sets the traditional Unix permissions which SELinux will still observe.
    ~]# chown -R postgres:postgres /opt/postgresql
  5. Open the /etc/systemd/system/postgresql.service file with a text editor and modify the PGDATA and PGLOG variables to point to the new location:
    ~]# vi /etc/systemd/system/postgresql.service
    Save this file and exit the text editor.
    If the /etc/systemd/system/postgresql.service file does not exist, create it and insert the following content:
    .include /lib/systemd/system/postgresql.service
    # Location of database directory
  6. Initialize the database in the new location:
    ~]$ su - postgres -c "initdb -D /opt/postgresql/data"
  7. Having changed the database location, starting the service will fail at this point:
    ~]# systemctl start postgresql.service
    Job for postgresql.service failed. See 'systemctl status postgresql.service' and 'journalctl -xn' for details.
    SELinux has caused the service to not start. This is because the new location is not properly labeled. The following steps explain how to label the new location (/opt/postgresql/) and start the postgresql service properly:
  8. Use the semanage utility to add a context mapping for /opt/postgresql/ and any other directories/files within it:
    ~]# semanage fcontext -a -t postgresql_db_t "/opt/postgresql(/.*)?"
  9. This mapping is written to the /etc/selinux/targeted/contexts/files/file_contexts.local file:
    ~]# grep -i postgresql /etc/selinux/targeted/contexts/files/file_contexts.local
    /opt/postgresql(/.*)?    system_u:object_r:postgresql_db_t:s0
  10. Now use the restorecon utility to apply this context mapping to the running system:
    ~]# restorecon -R -v /opt/postgresql
  11. Now that the /opt/postgresql/ location has been labeled with the correct context for PostgreSQL, the postgresql service will start successfully:
    ~]# systemctl start postgresql.service
  12. Confirm the context is correct for /opt/postgresql/:
    ~]$ ls -lZ /opt
    drwxr-xr-x. root root system_u:object_r:postgresql_db_t:s0 postgresql
  13. Check with the ps command that the postgresql process displays the new location:
    ~]# ps aux | grep -i postmaster
    postgres 21564  0.3  0.3  42308  4032 ?        S    10:13   0:00 /usr/bin/postmaster -p 5432 -D /opt/postgresql/data/
  14. The location has been changed and labeled, and postgresql has started successfully. At this point all running services should be tested to confirm normal operation.
Red Hat logoGithubRedditYoutubeTwitter


Try, buy, & sell


About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.