Bug 847357
Summary: | Postgres startup script disregards /var/lib/pgsql/data/postgresql.conf TCP settings | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Dmitry S. Makovey <dmitry> |
Component: | postgresql | Assignee: | Tom Lane <tgl> |
Status: | CLOSED WONTFIX | QA Contact: | qe-baseos-daemons |
Severity: | medium | Docs Contact: | |
Priority: | unspecified | ||
Version: | 6.2 | CC: | hhorak |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-08-10 19:15:11 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Dmitry S. Makovey
2012-08-10 17:13:13 UTC
as a side-note: moving postgresql to a different port number also triggers SELinux denial which could be resolved with: #============= postgresql_t ============== allow postgresql_t port_t:tcp_socket name_bind; Since postgresql in RHEL6 seems to be geared for multi-DB setups, it may be better to have SELinux tunable for the above rule. I found allow_user_postgresql_connect which is one tunable to enable connection *to* postgreSQL process, but there needs to be another one to allow postgreSQL bind to an arbitrary port? This is not a bug. It has always been the case that the port number (like PGDATA) has to be configured in the init script if you want to change it. Changing it in postgresql.conf won't work reliably because pg_ctl has to know it. I will agree that this fact is underdocumented :-( Development Management has reviewed and declined this request. You may appeal this decision by reopening this request. should I open a separate bug for comment #2 then, as it seems that only first comment was addressed in reply? That would be something to discuss with the selinux-policy people, not me. I think it's a questionable thing anyway whether selinux-policy should support nonstandard configurations out-of-the-box ... who's to say whether postgres connecting to an unusual port isn't something selinux *ought* to complain about? With respect to the SELinux configuration issue, I've added the following text to the README.rpm-dist doc file for postgresql: If you are running SELinux in enforcing mode (which is highly recommended, particularly for network-exposed services like PostgreSQL) you will need to adjust SELinux policy to allow the postmaster to use non-default PGPORT or PGDATA settings. To allow use of a non-default port, say 5433, do this as root: semanage port -a -t postgresql_port_t -p tcp 5433 To allow use of a non-default data directory, say /special/pgdata, do: semanage fcontext -a -t postgresql_db_t "/special/pgdata(/.*)?" If you already created the directory, follow that with: restorecon -R /special/pgdata These settings are persistent across reboots. For more information see "man semanage". (This is only in the Fedora copy at the moment, but it will propagate into RHEL in due time.) |