From 0a7189b8084e75ad36e36491ccffd2ad1e0b7f34 Mon Sep 17 00:00:00 2001 From: Pavel Raiskup Date: Tue, 17 Mar 2015 17:02:28 +0100 Subject: postgresql-ctl: fix SCLs & SELinux * postgresql.init.in: Use 'postgres' binary instead of 'postmaster', because it has proper selinux context. * postgresql.service.in: Use postgresql-ctl everywhere, to make sure that correct selinux context is used even with SCL. --- postgresql-ctl.in | 21 +++++++++++++++++---- postgresql.init.in | 6 +++--- postgresql.service.in | 11 ++++++----- 3 files changed, 26 insertions(+), 12 deletions(-) diff --git a/postgresql-ctl.in b/postgresql-ctl.in index 05bf60b..feef1d2 100644 --- a/postgresql-ctl.in +++ b/postgresql-ctl.in @@ -1,7 +1,20 @@ #!/bin/bash -# This script is compat-wrapper for PGPORT specifying directly in -# postgresql.service. There is not possible to do conditional step in service -# file based on (non)existence of PGPORT variable. +# Thin wrapper arount pg_ctl. +# +# This file exists for the following reasons: +# +# * It is s compat-wrapper for the cases when PGPORT *is* set directly in +# postgresql.service (nowadays users should configure port directly in +# postgresql.conf). This is hack which allows us to do a conditional step +# before running pg_ctl (which is not allowed by systemd). +# +# * This helper script is necessary for having proper SELinux context of daemon +# process run in SCL environment via systemd/sysvinit service file. Without +# this script the process looses SELinux type because /usr/bin/scl +# has context bin_t and 'unit_t -> bin_t' results in unconfined process. +# This file must thus have 'postgresql_exec_t' fcontext. -@bindir@/pg_ctl "$@" ${PGPORT+-o "-p $PGPORT"} +@SCL_SOURCE@ + +exec @bindir@/pg_ctl "$@" ${PGPORT+-o "-p $PGPORT"} diff --git a/postgresql.init.in b/postgresql.init.in index b3bd560..aadd3dd 100644 --- a/postgresql.init.in +++ b/postgresql.init.in @@ -87,7 +87,7 @@ script_result=0 start() { - [ -x "$PGENGINE/postmaster" ] || exit 5 + [ -x "$PGENGINE/postgres" ] || exit 5 PSQL_START=$"Starting ${NAME} service: " @@ -114,7 +114,7 @@ start() # postmaster is down. This just unnecessarily wastes time and generates # too much (false) rush in $PGLOG. run_cmd_as_dbadmin \ - "$PGENGINE/postmaster ${PGPORT+-o "-p $PGPORT"} \ + "$PGENGINE/postgres ${PGPORT+-o "-p $PGPORT"} \ -D '$PGDATA' ${PGOPTS} &" \ "$PGLOG" "$PGLOG" @@ -207,7 +207,7 @@ case "$1" in stop ;; status) - status -p "$pidfile" postmaster + status -p "$pidfile" postgres script_result=$? ;; restart) diff --git a/postgresql.service.in b/postgresql.service.in index 560114d..897f732 100644 --- a/postgresql.service.in +++ b/postgresql.service.in @@ -30,11 +30,12 @@ Environment=PG_OOM_ADJUST_VALUE=0 ExecStartPre=@libexecdir@/postgresql-check-db-dir %N -# Temporarily use postgresql-ctl wrapper around pg_ctl until there will -# exist clients which set PGPORT in service file. -ExecStart=@SCL_SHELL_WRAPPER@@libexecdir@/postgresql-ctl start -D ${PGDATA} -s -w -t 300 -ExecStop=@SCL_SHELL_WRAPPER@@bindir@/pg_ctl stop -D ${PGDATA} -s -m fast -ExecReload=@SCL_SHELL_WRAPPER@@bindir@/pg_ctl reload -D ${PGDATA} -s +# Use convenient postgresql-ctl wrapper instead of directly pg_ctl. See the +# postgresql-ctl file itself for more info. + +ExecStart=@libexecdir@/postgresql-ctl start -D ${PGDATA} -s -w -t 300 +ExecStop=@libexecdir@/postgresql-ctl stop -D ${PGDATA} -s -m fast +ExecReload=@libexecdir@/postgresql-ctl reload -D ${PGDATA} -s # Give a reasonable amount of time for the server to start up/shut down TimeoutSec=300 -- cgit