loc2log

Faced access denied error when attempting to start postgresql 9.2 with custom database path on CentOS 7:

~]$ sudo systemctl start postgresql.service
Job for postgresql.service failed. See 'systemctl status postgresql.service' and 'journalctl -xn' for details.

~]$ systemctl status postgresql.service
...
Jul 26 10:07:05 testbox pg_ctl[5699]: postgres cannot access the server configuration file "/var/pgsql/data/postgresql.conf": Permission denied
...

The file had been actually in place and with the right permissions and all the dir permissions seemed right too.

It was SELinux limiting access to the postgres database files in the non-standard location. Examining the /var/log/audit/audit.log quickly revealed that.

The log had the denial record like that:

type=AVC msg=audit(1437920005.070:1886): avc: denied { getattr } for pid=5732 comm="postgres" path="/var/pgsql/data/postgresql.conf" dev="dm-0" ino=779014 scontext=system_u:system_r:postgresql_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file

The dir listing with SELinux context had:

~]$ sudo ls -Z /var/pgsql/data

...
-rw-------. postgres postgres unconfined_u:object_r:var_t:s0 postgresql.conf
...

The most secure way is to relabel corresponding files and to adjust selinux file contexts. In my case the custom location was /var/pgsql/

Initially I did relabel my db files. Since I had no log files yet, it was enough to do just:

sudo sudo chcon -R system_u:object_r:postgresql_db_t:s0 /var/pgsql/

You may also have to execute chcon system_u:object_r:postgresql_log_t:s0 on whatever log files you have.

Add your new location of the db and log files location's contexts to selinux fcontext. Since in my case the custom location was /var/pgsql/, - I added:

sudo semanage fcontext -a -t postgresql_db_t '/var/pgsql(/.*)?'
sudo semanage fcontext -a -t postgresql_log_t '/var/pgsql/.*\.log'
sudo semanage fcontext -a -t postgresql_log_t '/var/pgsql/data/pg_log(/.*)?'
sudo semanage fcontext -a -t postgresql_log_t '/var/pgsql/logfile(/.*)?'

After all this magic, postgresql was able to successfully start with the database in my custom location.

If you don't have to be that secure, you may just set SELinux into permissive mode, or turn it off (not recommended). See how.

Good luck :-)

Here is how to disable SELinux on CentOS 7. That shall also work on the corresponding RedHat systems.

First of all check status of SELinux on your system:

~]$ sestatus

To make the SELinux permissive immediately:

~]$ sudo setenforce Permissive

To make SELinux permissive after reboot, edit /etc/sysconfig/selinux to get

SELINUX=permissive

To disable SELinux altogether, edit /etc/sysconfig/selinux to get

SELINUX=disabled

The changes in /etc/sysconfig/selinux will be in effect after

sudo reboot

Great SELinux HowTo from CentOS