PostgreSQL 9.5 SELinux =========================================================== This package provides SELinux-support for RHEL/CentOS/OracleLinux/etc. The actual context and rules are all provided by the standard packages, this only places the postgresql95-binaries and other subdirectories in the correct context. It also provides some booleans to turn on/off some behaviour, like compatibility with the Oracle Client to use with the Oracle Foreign Data Wrapper. If something is missing from the context, please create an issue on the PostgreSQL Issue Tracker. Custom PGDATA-directory =========================================================== In the case of a non-standard PGDATA-directory, you have to add that directory with some semanage statements. You need to install the package policycoreutils-python for this. For example, if your PGDATA-directory is /opt/postgresql/data you need the following two statements (replace the actual PGDATA-directory accordingly): semanage fcontext -a "/opt/postgresql/data(/.*)?" -t postgresql_db_t semanage fcontext -a "/opt/postgresql/data/pg_log(/.*)?" -t postgresql_log_t In RHEL/CentOS/OL/SL 6 and lower, the logfile appointed by the PGLOG-variable needs to be adjusted to reside inside the pg_log-directory or the logfiles needs to be added to the selinux-context. For example you would need the following statement to give the file /opt/postgresql/pgstartup.log the correct context: semanage fcontext -a "/opt/postgresql/.*\.log" -t postgresql_log_t Failing to assign the correct context can result in not starting the cluster at all or not being able to use, for instance, logrotate to manage your logfiles. Custom PostgreSQL Ports =========================================================== If you want to run you PostgreSQL-cluster on a non-default-port you need to add that port to the postgresql_port_t-type. As this is also done with semanage, you also need the package policycoreutils-python for this. You can add for example the port 5433 to the postgresql_port_t with the following command: semanage port -a -t postgresql_port_t -p tcp 5433 If the port is already defined in another selinux-port-type you have to use the -m switch in stead of -a. If you want to use TCP/443 with PostgreSQL for example, you can use the following command: semanage port -m -t postgresql_port_t -p tcp 443 Booleans =========================================================== The following booleans are defined: postgresql_can_network_connect_db (default false) To allow the postgresql_t-context to connect to other database by network-connection, for instance by using the Oracle Foreign Data Wrapper, you need to turn this boolean on. This allows network-connections to postgresql, Oracle, MSSQL, MySQL and Interbase/Firebird. These ports are the same as allowed by the boolean httpd_can_network_connect_db. postgresql_execstack (default false) To allow the postgresql_t-context to make it's stack executable, as required by the Oracle Instant Client, you need to turn this boolean on.