postgresql-ctl: fix SCLs & SELinux

* postgresql.init.in: Use 'postgres' binary instead of
'postmaster', because it has proper selinux context.
* postgresql.service.in: Use postgresql-ctl everywhere, to make
sure that correct selinux context is used even with SCL.

1 files changed, 17 insertions, 4 deletions

diff --git a/postgresql-ctl.in b/postgresql-ctl.in
index 05bf60b..feef1d2 100644
--- a/postgresql-ctl.in
+++ b/postgresql-ctl.in
@@ -1,7 +1,20 @@
 #!/bin/bash
 
-# This script is compat-wrapper for PGPORT specifying directly in
-# postgresql.service.  There is not possible to do conditional step in service
-# file based on (non)existence of PGPORT variable.
+# Thin wrapper arount pg_ctl.
+#
+# This file exists for the following reasons:
+#
+# * It is s compat-wrapper for the cases when PGPORT *is* set directly in
+#   postgresql.service (nowadays users should configure port directly in
+#   postgresql.conf).  This is hack which allows us to do a conditional step
+#   before running pg_ctl (which is not allowed by systemd).
+#
+# * This helper script is necessary for having proper SELinux context of daemon
+#   process run in SCL environment via systemd/sysvinit service file.  Without
+#   this script the process looses SELinux type because /usr/bin/scl
+#   has context bin_t and 'unit_t -> bin_t' results in unconfined process.
+#   This file must thus have 'postgresql_exec_t' fcontext.
 
-@bindir@/pg_ctl "$@" ${PGPORT+-o "-p $PGPORT"}
+@SCL_SOURCE@
+
+exec @bindir@/pg_ctl "$@" ${PGPORT+-o "-p $PGPORT"}