SELinux & PostgreSQL PGDATA *not* in /var/lib/pgsql/data

I've been playing around with PostgreSQL for years but never used in professionally.  I use MySQL for pay but more on that later.  Both have default locations for the actual files that contain the data, etc. and these locations are already configured in SELinux so the RDBMS can start without issues.  But what about putting the data in a location other than the default?  I tried this and the database manager would not start because of permissions violations.  I did a lot of research and it took a long time but I could never find everything I needed in one place.  For a while I just turned SELinux off so I didn't have to worry about it but in this world of security consciousness that is not a good answer.

Please remember that all the commands must be run as root.  I use sudo either on a per-command basis or using the -i option which does the same thing as su -.

First, add PGDATA & PGLOG to /etc/sysconfig/pgsql/postgresql using your favorite editor.  I use vi because I've been using it for over 20 years...  (Yes, I've been doing this for a while.)  I use the following for my database location with /db being a separate filesystem:

    PGDATA=/db/pgsql/data
    PGLOG=/db/pgsql/pgstartup.log

Now add the contexts to SELinux. The documentation says to use semanage to update the file /etc/selinux/targeted/contexts/files/file_contexts.local but does not say how to do it, so I manually edit the file. Add lines to the file with the new paths like these (I'm using the example above):

    /db/pgsql(/.*)?                  system_u:object_r:postgresql_db_t:s0
    /db/pgsql/data(/.*)?             system_u:object_r:postgresql_db_t:s0
    /db/pgsql/logfile(/.*)?          system_u:object_r:postgresql_log_t:s0
    /db/pgsql/pgstartup\.log.*       system_u:object_r:postgresql_log_t:s0

Before executing service, make sure the paths exist and are owned by postgres:

    ls -ld /db/pgsql /db/pgsql/data

it should look like

    drwxr-xr-x.  3  postgres postgres  4096 Nov  6  11:29  /db/pgsql
    drwx------. 12  postgres postgres  4096 Nov  6  11:30  /db/pgsql/data

Now initialize the database

    service postgresql initdb

if it doesn't show

    Initializing database:                                  [OK]

The something has gone wrong. If it hasn't, start the Postgres service:

    service postgresql start

which should show

    Starting postgresql service:                            [OK]

To make PostgreSQL start up on boot, execute the following command:

    chconfig postgresql on

The default runlevels for PostgreSQL are 2, 3, 4, and 5 which are the multi-user levels.

Some of the commands may behave differently on other Linux systems. I use CentOS and Fedora and they work reasonably well there.

The move to digital only publication and Upgrading Fedora, Part III (a)

I'm taking the bus to work for the time being and it gives me time to read, so I'm catching up on my subscription to Linux Journal, which has been all digital for about 2 years.  I used to subscribe to the paper (or dead-tree) edition but when I realized I wasn't even reading it I gave up and let my subscription lapse.  Then I received an e-mail from the magazine with a link for a free copy in any (or all) of several different formats.  I don't like reading long documents in PDF format because it takes too long on my laptop and the files don't look right on my e-book reader (an Aluratek Libre eBook Reader Pro).  I also passed on some of the other formats because they were hardware specific (Kindle, etc.) but the two I noticed were Mobi and ePub.  Both were supported on my e-book reader so I downloaded the ePub and gave it a try.  I was hooked.  I pulled my credit card out of my wallet and subscribed, specifying the the ePub as my desired default.

Several issues later the publisher of Linux Journal, Belltown Media, Inc.,  announced that they were no longer going to publish the paper edition, stating cost reasons.  It didn't bother me because I had grown to like the digital edition.  Other magazines have gone to digital only publication but they only offer HTML, PDF, and proprietary formats.  I'll pass on them until they follow Belltown Media's lead in offering in Mobi and ePub.  The three I would like to see in these formats are Linux User & Developer, Linux Format, and Linux Magazine (Pro).  They only offer HTML and PDF, and they are expensive because they are all UK publishers and the exchange rate makes the subscription about USD $75 per year.

As more magazine publishers look at the increased cost of paper and the demands of physical publications they are faced with the choice of switch to digital only or shut down and lay off all their staff.  The letters to Linux Journal are many and varied.  Some readers welcome the switch, others state they will never renew their subscriptions until a print on demand option is offered.  I prefer digital because I can store more issues that way and they don't clutter up the house.  When I closed down my storage locker several years ago I dumped a lot of computer magazines in the recycle bin.  I ended up filling it five times before they were all gone.  I don't miss them because most of them have archive DVDs of all the back issues (in HTML and PDF format) so I can go back when I want...  When I shell out the $$ for the discs.  One that I can is Byte because it went under before they could make digital copies of their issues.  But if I want to read the Chaos Manner columns I can just ask the author since he regularly attends the LASFS meetings.

-----

I'm writing this entry on my backup laptop while I backup the hard-drive on my main laptop, before upgrading to Fedora 16.  Because of the issue with Qt on the older laptop I'm going to remove all the packages before starting the upgrade process.  The backup should take another couple of hours and the upgrade several more.  I report on the status later.

-----

Resource:

Linux Journal: http://www.linuxjournal.com
Linux User & Developer: www.linuxuser.co.uk
Linux Format: www.linuxformat.com
Linux Pro Magazine: www.linux-magazine.com
E-Book Reader: Aluratek Libre E-Book Reader Pro

Upgrading Fedora, Part II

The upgrade from Fedora 14 to 15 on my primary laptop was successful.  However, I do not like Gnome Shell.  The alternative, Classic Gnome with Compiz, really is the classic desktop.  It's not even close.  It's about as much like the old desktop as Hawaiian Gardens, CA is a Hawaiin garden.  Trust me, I've been there.

I decided to upgrade to Fedora 16 on the older laptop and nearly lost everything.  It's a good thing I made a backup before the upgrade.  Everything went well until it was time to install the upgraded packages.  There must have been a problem with one of the Qt library packages because it failed to install.  I restored from backup and tried again, and it failed again.  The second time I restored from backup the boot sector didn't get created correctly and grub failed to start up because it couldn't find a file.  I restored from backup again but the boot sector still have issues.  I did a Google search to find a solution and tried every one I found with no success.  I was about to give up when I remembered something from the Microsoft Windows world.  When a Windows system is horribly trashed you can re-install the OS and it will only overwrite the boot sector, system binaries, and configuration files.  But not all the configuration files.  I didn't have a Fedora 15 install disk so I had to download an ISO image on my primary laptop and burn it to disk.  I started it up on the older computer and hoped for the best.  Luckily there was an option to write a new boot sector based on the targets grub configuration.  After that finished I restarted and it worked.  I was back in business.

When the laptop rebooted I made a backup of the hard drive and then restored it to make sure it worked.  It booted up without a problem.  Not the next task was to remove all of the Qt libraries and anything that depended on them.  I really wasn't using them so it didn't matter.  When I was certain I had removed anything that would break the upgrade, I made yet another backup, this with a different name so I could preserve the older one just in case.

The upgrade went a lot smoother this time.  It was still slow because the machine is old but it booted with no problems.  I verified that my user directory was still in place and all the files were there, since I needed this computer for an upcoming convention (Gallifrey One).  The computer worked flawlessly as the charity auction check-in system.

As a precaution, I've removed all of the Qt libraries on my main laptop so I don't have the same problem as I did before.  I never go around to doing the upgrade.  Maybe this weekend.

Upgrading Fedora

I have an older laptop that I bring to conventions when I'm a department head (Sales to Members at Anime Los Angeles; Charity Auction Check-in at Gallifrey One) and it's running and older version of Fedora Linux.  I've stayed with Fedora 14 mainly because I don't like the new desktop software that comes with Gnome 3.  Maybe I'm a traditionalist and I like my desktop icons and drop down menus.  I also like having all my applications organized by categories that are easy to find.  Office apps here, network apps there, games clustered there...  And my most used apps on the task bar so I don't have to go into the menus to launch them.  But I need to bite the bullet sooner or later so I'm going to upgrade the older laptop first as a test.

The first thing I did was to save a disk image to an external hard-drive just in case something goes horribly wrong.  I used CloneZilla to do the work since it works kind of like Symantec Ghost (which doesn't support Linux as well as it used to and can't write disk images to ext2/ext3/ext4 filesystems which are better anything by Microsoft - IMHO).  CloneZilla is a front end for PartImage, a utility to backup disk paritions, that also saves the partition layout and then optionally compresses the partition images. CloneZilla will also verify that the images are restorable so you don't end up with junk when you need to restore.  Unlike Ghost, CloneZilla/PartImage does not allow for single file restores which is a shame because I liked that feature.  I guess I will have to brush off my C programming skills and try to add this feature.  It will also make it possible to do differential backups so the entire partition image need not be backed up, just the differences.

Once upon a time I created a Ghost image of a system and then made changes that needed to be rolled back.  When I found out that the changes made the system fail I just pulled out the Ghost image and started the restore...  Until Ghost found corruption in the image.  This was not good.  I had to find an older Ghost image and restore from that, followed by making the changes to the point where I started.  This was a waste of time and reminded me to ALWAYS CHECK THE BACKUP before proceeding with anything.  I also ALWAYS CHECK THE RAM before I proceed with a new or upgraded system.  Bad memory can bring a system down.  I've encountered that before, too.

I digress.  After backing up the hard drive I switched to root and installed the utility to upgrade the the software, called preupgrade.  The command looks like:

yum install preupgrade

and it takes a few minutes to download depending on the speed of the connection and what other software is installed.  Since I had my other laptop (see my first post for details) running and accessing the 'net on my now slower connection (money is tight, something has to give) what should have been a 2 minutes download took about 5 minutes.  When preupgrade was installed I decide that now was the time.  I ran the utility and selected to go up one version only (from Fedora 14 to 15) to be safe.  I've heard horror stories of people trying to go up by 3 or more versions, only to have the system rendered unusable.  Even though I had a backup, I'm a tad shy about some things.  I let this run while I was doing work in the yard (weeds getting taller than my dog, a toy poodle) and continued while I was on a phone interview.  The longest step was the download of the new packages because there is a lot changing.  When the download was complete the utility moved to the last steps that set the next boot to install everything that was just downloaded.

Time was running out.  I had to get a shower (remember, outside in the yard with weeds and HEAT) and change clothes before driving over to the school to pick up my stepson.  I clicked on reboot and it was off.  I had a little moment of panic when nothing happened on the screen but there was a flurry of activity on the harddrive.  Then the screen came up that showed the new packages being intalled.  When I walked out it was about 90% complete.  It should be done by now but I won't know until I'm home.  I really doubt that anything horrible happened to the upgrade process, unless the hardware fails...

(Later)  No hardware failures!  The install completed and the system automatically rebooted.  When I logged in I did receive a message that my graphics hardware does not support the new desktop effects.  No big loss.  I started the process to go to the next version (Fedora 16) and it should be done by the time I get home from the PTA meeting and then LASFS.

Once I am done with the final upgrade I will see just how much I need to adjust to the new look and feel before making the decision to upgrade my main laptop.
-----
Resources:

Fedora Linux: http://fedoraproject.org
Gnome Desktop environment: http://www.gnome.org
Laptop: Toshiba Satellite
CloneZilla: clonezilla.org
PartImage: www.partimage.org
-
toy poodle: http://en.wikipedia.org/wiki/Poodle
Bret Harte Elementary PTA: http://www.brethartepta.com/
Los Angeles Science Fantasy Society: www.lasfs.org

Fun with SELinux and Apache

I was so proud of myself getting UserDir to work in Apache.  I thought I was set.  But when I tried to log into my account on my web server I got an error message saying it could not find my user directory so it was dropping me in /.  This was not good.  I let it go for a little while since this was a learning platform and not a production system.  But today I decided to find out why this was happening.

I looked at the file name (remember that in Unix/Linux everything is a file) and it was okay.  I checked the permissions on the file and they were okay.  Then I looked at the SELinux settings

ls -dZ ~

and what I saw was

drwx--x--x.  <username> <groupname> unconfirmed_t:object_r:httpd_sys_content_t:s0  /home/<username>

which was how the instructions I read said they should be.  On another VM I ran the same command and I saw user_home_dir_t instead of httpd_sys_content_t and I had no problems with the home directory there so I changed the context back on the web server VM

chcon -t user_home_dir_t  ~

and then I logged out and back in.  Hurrah!  I was in my home directory again.  I wanted to verify the web server was still able to access my test PHP scripts in ~/public_html directory.  Not a chance.  The dreaded 403 Forbidden message was displayed.  Now what do I do?

I did a Google search to see if I could set two context types in SELinux but I couldn't find anything that indicated I could.  The tool chcon has an option for a range of contexts but I couldn't find an example of how it worked.  My next option was to try the end user forum for the Linux distro I'm using for my test server.  Since I didn't have an account at CentOS I created one.  Why not?  It's always nice to have ready access to information.

A search of the CentOS forums showed an option that I didn't see, or glossed over, the first time I tried setting up UserDir.  So I typed the command

setsebool -P httpd_enable_home_dirs 1

and tried to access the web server again.  Success!  Now I can have my cake (UserDir access on my web server) and eat it too (access to my home dir in my web server).

Lesson learned: read all the documentation.

On shedding weight

Something that all geeks/nerds/etc. need to be aware of is weight.  I mean that excess fat on the body that makes one look, well, fat.  Being lonely, unwanted, too <whatever> to care is not an excuse.  The biggest problem in science fiction fandom, geekdom, etc., other than social ineptitude, is being obese or morbidly obese which leads to Type 2 Diabetes.  I know this because I was diagnosed last year and it caused me to mildly panic.  Fortunately I had helpful guidance in shedding weight (115 pounds so far) and being able to keep it off.  I say shedding instead of losing because something that is lost can be found.

I found that the quickest way to shed weight is to stop eating "recreational sugar" products.  This includes, but is not limited to: candy bars, ice cream, sugary soda (I drink diet soda so I'm not exactly cheating), cake, cookies (which I like to bake so now I have to find sugar free alternatives), and other sweet goodness.  It's okay to eat apples, sweet corn, etc. because the sugar is a natural and not added, but in moderation.  Everything is in moderation.  I gave up eating small pizzas by my self, even though I *love* pizza.

Exercise also helps.  Just don't over do it.  Start slow and work you way up.  Pick I time when you feel comfortable doing it.  I walk two miles in the morning three times a week, and add in other walks when I can.  I have a small dog that I take for a walk in the evening.

Back to Diabetes.  This can be a killer.  A friend did not have his diabetes diagnosed and continued to live an unhealthy lifestyle.  He was supposed to go to a New Years party some years ago but never showed up.  He just disappeared off the fannish radar.  Since this was before Twitter and Facebook became ubiquitous parts of everyday life no one thought twice about his silence until it lasted too long.  Several mutual friends went to his apartment to check on him and found an unpleasant surprise.  He was a groomsman at my wedding; I was a pallbearer at his funeral.  I don't like this kind of symmetry.

Please, please, please take care if you are over-weight.

First post! Configuring Apache 2 for use with user directories (UserDir)

Several people have mentioned that I need to have a blog to enhance my online technical presence, or something like that.  So here goes...

I'm teaching myself how to setup and use a LAMP (Linux/Apache/MySQL/PHP) stack.  I've already learned a little PHP but I wanted to try my hand at making a sub-directory of a user's home directory available as a place to access web pages (and PHP code).  After setting up Apache in a virtual machine (VM) running on my my laptop (VirtualBox running on Fedora 14), I took a look at the configuration file to see how to do this.  The instructions were clear about how to do all this.  So after I created the directory public_html and changing the permissions of everything from my home directory down to my test file, I restarted Apache and put the URL for the test page into my browser...  And got the dreaded 403 Forbidden message.  I'd seen this before but had never solved it in the past.  This time I did a Google search (and I really use Google!) on the error and found that the problem may be with Security-Enhanced Linux (SELinux).  The first thing that the helpful sight suggested was to turn off SELinux and try again.  With SELinux off it showed me the test page, which was a little three line PHP script:

<?php
echo "Hello Web!";
?>

So now I know that I was being blocked SELinux.  I turned SELinux back on and took another look at the website where I found the suggestion to see what I had to do next.  It mentioned the chcon (change context) command to set the correct context for the file, and the directories involved.  The issue was the file type needed to be httpd_sys_content_t for my home directory, content directory (public_html), and the content files.  The command was something like:

chcon -t httpd_sys_content_t <filename>

After make this change I restarted Apache again, just to be sure, and tried the URL one more time.  Success!  I now had a functioning web server on a "remote" machine (remember that it is running in a VM) that allowed me to put the content for users in their home directories.

The only part of this that concerns me is the the user's home directory (i.e. /home/<username>) has to have the SELinux file type mentioned above if the content is accessible to others.  If some other application needs the home directory to have a specific file type, can more than one be applied to the directory?  That's a Google search for another time.

My lessons continue.  I'm slowly approaching the part of the book (see info below) that describes how to access a database from a web page.  After I finish learning from this book, I will try these scripts again but accessing a PostgreSQL database instead.  And then I will try Perl instead of PHP.

For completeness, here is the hardware and software I'm using to do all of this:

Laptop: Toshiba Satellite E205-S1904
Host OS: Fedora 14
Virtualization software: Oracle VirtualBox
Guest OS: CentOS 6.2
Web Server: Apache 2
Book: Sams Teach Yourself PHP, MySQL and Apache All in One (3rd Edition)

Coming soon: Setting up a DNS server (in a VM); Installing Puppet Master on an unsupported system; Learning how to manage a consulting business; and much more!