From 0a7189b8084e75ad36e36491ccffd2ad1e0b7f34 Mon Sep 17 00:00:00 2001 From: Pavel Raiskup Date: Tue, 17 Mar 2015 17:02:28 +0100 Subject: postgresql-ctl: fix SCLs & SELinux * postgresql.init.in: Use 'postgres' binary instead of 'postmaster', because it has proper selinux context. * postgresql.service.in: Use postgresql-ctl everywhere, to make sure that correct selinux context is used even with SCL. --- postgresql-ctl.in | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) (limited to 'postgresql-ctl.in') diff --git a/postgresql-ctl.in b/postgresql-ctl.in index 05bf60b..feef1d2 100644 --- a/postgresql-ctl.in +++ b/postgresql-ctl.in @@ -1,7 +1,20 @@ #!/bin/bash -# This script is compat-wrapper for PGPORT specifying directly in -# postgresql.service. There is not possible to do conditional step in service -# file based on (non)existence of PGPORT variable. +# Thin wrapper arount pg_ctl. +# +# This file exists for the following reasons: +# +# * It is s compat-wrapper for the cases when PGPORT *is* set directly in +# postgresql.service (nowadays users should configure port directly in +# postgresql.conf). This is hack which allows us to do a conditional step +# before running pg_ctl (which is not allowed by systemd). +# +# * This helper script is necessary for having proper SELinux context of daemon +# process run in SCL environment via systemd/sysvinit service file. Without +# this script the process looses SELinux type because /usr/bin/scl +# has context bin_t and 'unit_t -> bin_t' results in unconfined process. +# This file must thus have 'postgresql_exec_t' fcontext. -@bindir@/pg_ctl "$@" ${PGPORT+-o "-p $PGPORT"} +@SCL_SOURCE@ + +exec @bindir@/pg_ctl "$@" ${PGPORT+-o "-p $PGPORT"} -- cgit