Bug 139895

Summary: httpd cannot connect to postgresql database using sockets
Product: [Fedora] Fedora Reporter: Johannes Schmid <schmid>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 3   
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: RHBA-2005-251 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-04-11 21:50:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Johannes Schmid 2004-11-18 17:56:03 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3)
Gecko/20040910

Description of problem:
When using PHP and using the pg_pconnect function to connect to a
PostgreSQL database without specifying a host (thus using a socket for
the connection), the current selinux targeted policy denies access to
this socket.

I tested both the policy that comes with FC3 and the latest version I
downloaded from ftp://people.redhat.com/dwalsh/SELinux/FC3

The audit message I get is:
avc:  denied  { connectto } for  pid=2244 exe=/usr/sbin/httpd
path=/tmp/.s.PGSQL.5432 scontext=user_u:system_r:httpd_t
tcontext=user_u:system_r:unconfined_t tclass=unix_stream_socket


The PHP script used for testing is:
<?php
pg_pconnect('dbname=test');
?>


Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.17.30-2.31

How reproducible:
Always

Steps to Reproduce:
1. create a postgresql database test
2. execute above php script
    

Actual Results:  access to database is denied; PHP error message is:
pg_pconnect(): Unable to connect to PostgreSQL server: could not
connect to server: Is the server running locally and accepting
connections on Unix domain socket "/tmp/.s.PGSQL.5432"?

Expected Results:  a successful connection to postgresql server
Comment 1 Daniel Walsh 2004-11-18 18:28:08 UTC 
Try rpm -q -l postgresql | restorecon -R -n -f -
service postgresql service
service httpd restart
Comment 2 Johannes Schmid 2004-11-18 18:40:03 UTC 
although I totally forgot to do that (shame on me), it has no effect.

I still get the exact same error.

I additionally tried an
  restorecon -R /tmp
(as that's where the socket is located, just to make sure). Still the
same error.
Comment 3 Daniel Walsh 2004-11-18 18:54:43 UTC 
Can you show me 

ls -lZ /usr/bin/postgres

and

ps -eZ | grep postgres
Comment 4 Daniel Walsh 2004-11-18 19:41:11 UTC 
My mistake, I just tried this on FC3 with 2.31 and it seems to work.

rpm -q -l postgresql-server | restorecon -R -n -f -
service postgresql service
service httpd restart
Comment 5 Johannes Schmid 2004-11-19 10:14:46 UTC 
I just tried to do the same, but it still does not work. Still getting

avc: denied { connectto } for  pid=2995 exe=/usr/sbin/httpd
path=/tmp/.s.PGSQL.5432 scontext=root:system_r:httpd_t
tcontext=root:system_r:unconfined_t tclass=unix_stream_socket

after doing

rpm -q -l postgresql-server | restorecon -R -n -f -
service postgresql restart
service httpd restart

# ls -lZ /usr/bin/postgresq
-rwxr-xr-x  root   root   system_u:object_r:bin_t    /usr/bin/postgres


# ps aeZ |grep postgres
root:system_r:unconfined_t       2966 pts/0    S      0:00
   /usr/bin/postmaster -p 5432 -D /var/lib/pgsql/data [...]
root:system_r:unconfined_t       2968 pts/0    S      0:00
   postgres: stats buffer process
root:system_r:unconfined_t       2969 pts/0    S      0:00
   postgres: stats collector process
root:system_r:unconfined_t       3005 pts/0    S      0:00
   postgres: apache test 127.0.0.1 idle


I hope this helps :)
Comment 6 Daniel Walsh 2004-11-19 14:17:34 UTC 
That makes no sence.

If you have selinux-policy-targeted-1.17.30-2.31 installed

/usr/bin/postgress should be system_u:object_r:postgresql_exec_t

Do you have selinux-policy-targeted-sources-1.17.30-2.31 installed?

If so could you do a 

make -C /etc/selinux/targeted/src/policy load

Then try the restorecon stuff?
Comment 7 Johannes Schmid 2004-11-19 16:22:37 UTC 
# rpm -q selinux-policy-targeted
selinux-policy-targeted-1.17.30-2.31

# rpm -i selinux-policy-targeted-sources-1.17.30-2.31.noarch.rpm

happend during RPM install (afaik), but I did it anyway:
# make -C /etc/selinux/targeted/src/policy load
[...]

# rpm -q -l postgresql-server | restorecon -R -n -f -
# service postgresql restart
# service httpd restart

# ls -lZ /usr/bin/postgres
-rwxr-xr-x  root   root   system_u:object_r:bin_t   /usr/bin/postgres

--> and, of course, it did not work :-)

Now, what I did is this: instead of restorecon -R -n, I tried
# rpm -q -l postgresql-server | restorecon -R -f -
# ls -lZ /usr/bin/postgres
-rwxr-xr-x  root     root     system_u:object_r:postgresql_exec_t
/usr/bin/postgres

and this did seem to work!

Just to be on the safe side, I also did:
# rpm -q -l php | restorecon -R -f -
# rpm -q -l php-pgsql | restorecon -R -f -
# rpm -q -l postgresql | restorecon -R -f -
# rpm -q -l httpd | restorecon -R -f -


Now it seems to work a little bit better. Instead of the denied
"connectto" I get an

avc:  denied  { write } for  pid=3091 exe=/usr/sbin/httpd
name=.s.PGSQL.5432 dev=hda3 ino=22635 scontext=root:system_r:httpd_t
tcontext=root:object_r:postgresql_tmp_t tclass=sock_file
Comment 8 Daniel Walsh 2004-11-19 16:43:43 UTC 
I am sorry, I am such an idiot, restorecon -n tells it not to make the
change.  I should have typed 
restorecon -v.

Could you do a setenforce 0 and try to access the database.

Dan
Comment 9 Johannes Schmid 2004-11-19 20:33:14 UTC 
Sorry, unfortunately I'm in GMT+1 (Germany) and my FC3 installation is
in the office (and I alread left the office). So I can't test it right
now but it'll be the first thing I'll do monday morning.
Comment 10 Johannes Schmid 2004-11-20 20:50:07 UTC 
I just had a chance to try it, so here's the result:

using setenforce 0 (of course) leads to a successful conntect to the
postgresql database.

Here are the selinux messages that were spit out during that process:
avc:  denied  { write } for  pid=2821 exe=/usr/sbin/httpd
name=.s.PGSQL.5432 dev=hda3 ino=22635 scontext=root:system_r:httpd_t
tcontext=root:object_r:postgresql_tmp_t tclass=sock_file
avc:  denied  { connectto } for  pid=2821 exe=/usr/sbin/httpd
path=/tmp/.s.PGSQL.5432 scontext=root:system_r:httpd_t
tcontext=root:system_r:postgresql_t tclass=unix_stream_socket


I'm an absolute newbie to this selinux stuff, but after changing line
297 of your apache.te from
allow httpd_t tmp_t:sock_file rw_file_perms;
to
allow httpd_t postgresql_tmp_t:sock_file rw_file_perms;
at least the first message disappeard again ("denied { write }").

I guess that there should be somewhere an assignment that says that
postgresql_tmp_t is of type tmp_t.

When I also add the following line, everything works fine:
allow httpd_t postgresql_t:unix_stream_socket { connectto };


Hope this helps.
Comment 11 Daniel Walsh 2004-11-21 04:17:43 UTC 
Fixed in policy-1.19.4-1
Comment 12 Phil Anderson 2004-12-23 13:06:39 UTC 
Confirmed fixed in (at least) selinux-policy-targeted-1.17.30-2.60
Comment 13 Tim Powers 2005-06-09 13:05:53 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2005-251.html