Red Hat Summit이 콘텐츠는 선택한 언어로 제공되지 않습니다.
10.4. Configuration Examples
10.4.1. PostgreSQL Changing Database Location
When using Red Hat Enterprise Linux 6, the default location for PostgreSQL to store its database is
/var/lib/pgsql/data. This is where SELinux expects it to be by default, and hence this area is already labeled appropriately for you, using the postgresql_db_t type.
The area where the database is located can be changed depending on individual environment requirements or preferences, however it is important that SELinux is aware of this new location; that it is labeled accordingly. This example explains how to change the location of a PostgreSQL database and then how to label the new location so that SELinux can still provide its protection mechanisms to the new area based on its contents.
Note that this is an example only and demonstrates how SELinux can affect PostgreSQL. Comprehensive documentation of PostgreSQL is beyond the scope of this document. Refer to the official PostgreSQL documentation for further details. This example assumes that the postgresql-server package is installed.
- Run the
ls -lZ /var/lib/pgsqlcommand to view the SELinux context of the default database location forpostgresql:~]#
ls -lZ /var/lib/pgsqldrwx------. postgres postgres system_u:object_r:postgresql_db_t:s0 dataThis showspostgresql_db_twhich is the default context element for the location of database files. This context will have to be manually applied to the new database location that will be used in this example in order for it to function properly. - Create a new directory for the new location of the database(s). In this example,
/opt/postgresql/data/is used. If you use a different location, replace the text in the following steps with your location:~]#
mkdir -p /opt/postgresql/data - Perform a directory listing of the new location. Note that the initial context of the new directory is usr_t. This context is not sufficient for SELinux to offer its protection mechanisms to PostgreSQL. Once the context has been changed, it will be able to function properly in the new area.
~]#
ls -lZ /opt/postgresql/drwxr-xr-x. root root unconfined_u:object_r:usr_t:s0 data - Change the ownership of the new location to allow access by the postgres user and group. This sets the traditional Unix permissions which SELinux will still observe.
~]#
chown -R postgres:postgres /opt/postgresql - Open the PostgreSQL init file
/etc/rc.d/init.d/postgresqlwith a text editor and modify thePGDATAandPGLOGvariables to point to the new location:~]#
vi /etc/rc.d/init.d/postgresqlPGDATA=/opt/postgresql/data PGLOG=/opt/postgresql/data/pgstartup.logSave this file and exit the text editor. - Initialize the database in the new location.
~]$
su - postgres -c "initdb -D /opt/postgresql/data" - Having changed the database location, starting the service will fail at this point:
~]#
service postgresql startStarting postgresql service: [FAILED]SELinux has caused the service to not start. This is because the new location is not properly labelled. The following steps explain how to label the new location (/opt/postgresql/) and start the postgresql service properly: - Run the
semanagecommand to add a context mapping for/opt/postgresql/and any other directories/files within it:~]#
semanage fcontext -a -t postgresql_db_t "/opt/postgresql(/.*)?" - This mapping is written to the
/etc/selinux/targeted/contexts/files/file_contexts.localfile:~]#
grep -i postgresql /etc/selinux/targeted/contexts/files/file_contexts.local/opt/postgresql(/.*)? system_u:object_r:postgresql_db_t:s0 - Now use the
restoreconcommand to apply this context mapping to the running system:~]#
restorecon -R -v /opt/postgresql - Now that the
/opt/postgresql/location has been labeled with the correct context for PostgreSQL, thepostgresqlservice will start successfully:~]#
service postgresql startStarting postgreSQL service: [ OK ] - Confirm the context is correct for
/opt/postgresql/:~]$
ls -lZ /optdrwxr-xr-x. root root system_u:object_r:postgresql_db_t:s0 postgresql - Check with the
pscommand that thepostgresqlprocess displays the new location:~]#
ps aux | grep -i postmasterpostgres 21564 0.3 0.3 42308 4032 ? S 10:13 0:00 /usr/bin/postmaster -p 5432 -D /opt/postgresql/data/ - The location has been changed and labeled, and the
postgresqldaemon has started successfully. At this point all running services should be tested to confirm normal operation.
