Selinux problem when systemd invokes my postgres server

Ask Fedora
,
1

Dear friends,

i am trying to run a new postgres instance with/on:

  • a mounted raid drive
  • a separate process managed by an individual systemd-service
  • with its on listener port

Here is the problem:
I can run the postmaster directly from my postgres account when i perform the call:
$ postmaster -D /mnt/raider/data/postgres/dbaccounting/defTS

But when i try to start the database using systemd-start the invoked postmaster is not able to access the data directory, where the postgres files are located:
/mnt/raider/data/postgres/dbaccounting/defTS

When i disable selinux, the server can be started by systemd, so there seems to be a problem with systemd, when it invokes the postmaster. The generated systemd file is using the postgres user, so this should be fine.

Let me show you, how i build the database:
**my file system file setting **

  1. chown -R postgres:postgres /mnt/raider/data/postgres
  2. semanage fcontext -a -t postgresql_db_t /mnt/raider/data/postgres/dbaccounting/defTS
  3. semanage fcontext -a -t postgresql_db_t /mnt/raider/data/postgres/dbaccounting
  4. setfattr -n security.selinux -v “system_u:object_r:postgresql_db_t:s0” /mnt/raider/data/postgres/dbaccounting

my setting when i create the database
5) semanage port -a -t postgresql_port_t -p tcp 5600
6) firewall-cmd --permanent --add-port=5600/tcp
7) firewall-cmd --add-port=5600/tcp
8) firewall-cmd --reload

then create my database unit
9) postgresql-new-systemd-unit --unit accounting --datadir /mnt/raider/data/postgres/dbaccounting/defTS

the create an initialize a new db
10) postgresql-setup --initdb --unit accounting --port 5600

Any ideas what i might forgot to set ?

3

I think you remembered more of the SELinux moving parts than I would have done.

Looking at your list, I would double check the permissions on /mnt, /mnt/raider, and /mnt/raider/data - make sure that everyone has at least execute permission on those directories (chmod o+x ...).

If it’s still not starting after that, it might be worth putting SELinux in permissive mode (rather than disabling it) and looking at the logs to see what errors are generated.

4

Salut Vlad,

i can not use the default, because they are already in use, including the port number. Besides i have an older version running also on Fedora, that works exactly like this i described above!

Anyway thanks for your hints.

5

Salut Thomas,

as i wrote, the manual start of the postmaster (using the postgres account) does work. So the permission for postgres should be fine. The question is, why the systemd is not capable to start the postmaster in the same way id did (manually).

6

Try collecting the related error messages:

sudo setenforce 0
sudo systemctl restart custom_unit
journalctl --no-pager -b -u custom_unit
journalctl --no-pager -b -g avc
7

Dear friends,

thank you all for your hints and ideas. In the meantime i was able to unterstand and fix that issue.
The problem was related to selinux and i found out, that the mount-point to the file-systems that
held one services was missing a selinux tag.

Now it looks like this and it is running perfectly:

$ ls -ldZ /mnt/raider
drwxr-xr-x. 1 root root system_u:object_r:mnt_t:s0 60 1. Apr 20:08 /mnt/raider

I had to add a mnt_t that’s all :wink: