Welcome, Guest! Registration


Thursday, 2019-02-21
Main » 2015 » August » 27 » postgresql cannot access server configuration file
10:22 PM
postgresql cannot access server configuration file

Faced access denied error when attempting to start postgresql 9.2 with custom database path on CentOS 7:

~]$ sudo systemctl start postgresql.service
Job for postgresql.service failed. See 'systemctl status postgresql.service' and 'journalctl -xn' for details.

~]$ systemctl status postgresql.service
Jul 26 10:07:05 testbox pg_ctl[5699]: postgres cannot access the server configuration file "/var/pgsql/data/postgresql.conf": Permission denied

The file had been actually in place and with the right permissions and all the dir permissions seemed right too.

It was SELinux limiting access to the postgres database files in the non-standard location. Examining the /var/log/audit/audit.log quickly revealed that.

The log had the denial record like that:

type=AVC msg=audit(1437920005.070:1886): avc: denied { getattr } for pid=5732 comm="postgres" path="/var/pgsql/data/postgresql.conf" dev="dm-0" ino=779014 scontext=system_u:system_r:postgresql_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file

The dir listing with SELinux context had:

~]$ sudo ls -Z /var/pgsql/data

-rw-------. postgres postgres unconfined_u:object_r:var_t:s0 postgresql.conf

The most secure way is to relabel corresponding files and to adjust selinux file contexts. In my case the custom location was /var/pgsql/

Initially I did relabel my db files. Since I had no log files yet, it was enough to do just:

sudo sudo chcon -R system_u:object_r:postgresql_db_t:s0 /var/pgsql/

You may also have to execute chcon system_u:object_r:postgresql_log_t:s0 on whatever log files you have.

Add your new location of the db and log files location's contexts to selinux fcontext. Since in my case the custom location was /var/pgsql/, - I added:

sudo semanage fcontext -a -t postgresql_db_t '/var/pgsql(/.*)?'
sudo semanage fcontext -a -t postgresql_log_t '/var/pgsql/.*\.log'
sudo semanage fcontext -a -t postgresql_log_t '/var/pgsql/data/pg_log(/.*)?'
sudo semanage fcontext -a -t postgresql_log_t '/var/pgsql/logfile(/.*)?'

After all this magic, postgresql was able to successfully start with the database in my custom location.

If you don't have to be that secure, you may just set SELinux into permissive mode, or turn it off (not recommended). See how.

Good luck :-)

Views: 2019 | Added by: ep | Tags: postgresql, RedHat, selinux, Linux | Rating: 0.0/0
Total comments: 0
Only registered users can add comments.
[ Registration | Login ]