Bug 139895
Summary: | httpd cannot connect to postgresql database using sockets | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Johannes Schmid <schmid> |
Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 3 | ||
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | RHBA-2005-251 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2005-04-11 21:50:55 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Johannes Schmid
2004-11-18 17:56:03 UTC
Try rpm -q -l postgresql | restorecon -R -n -f - service postgresql service service httpd restart although I totally forgot to do that (shame on me), it has no effect. I still get the exact same error. I additionally tried an restorecon -R /tmp (as that's where the socket is located, just to make sure). Still the same error. Can you show me ls -lZ /usr/bin/postgres and ps -eZ | grep postgres My mistake, I just tried this on FC3 with 2.31 and it seems to work. rpm -q -l postgresql-server | restorecon -R -n -f - service postgresql service service httpd restart I just tried to do the same, but it still does not work. Still getting avc: denied { connectto } for pid=2995 exe=/usr/sbin/httpd path=/tmp/.s.PGSQL.5432 scontext=root:system_r:httpd_t tcontext=root:system_r:unconfined_t tclass=unix_stream_socket after doing rpm -q -l postgresql-server | restorecon -R -n -f - service postgresql restart service httpd restart # ls -lZ /usr/bin/postgresq -rwxr-xr-x root root system_u:object_r:bin_t /usr/bin/postgres # ps aeZ |grep postgres root:system_r:unconfined_t 2966 pts/0 S 0:00 /usr/bin/postmaster -p 5432 -D /var/lib/pgsql/data [...] root:system_r:unconfined_t 2968 pts/0 S 0:00 postgres: stats buffer process root:system_r:unconfined_t 2969 pts/0 S 0:00 postgres: stats collector process root:system_r:unconfined_t 3005 pts/0 S 0:00 postgres: apache test 127.0.0.1 idle I hope this helps :) That makes no sence. If you have selinux-policy-targeted-1.17.30-2.31 installed /usr/bin/postgress should be system_u:object_r:postgresql_exec_t Do you have selinux-policy-targeted-sources-1.17.30-2.31 installed? If so could you do a make -C /etc/selinux/targeted/src/policy load Then try the restorecon stuff? # rpm -q selinux-policy-targeted selinux-policy-targeted-1.17.30-2.31 # rpm -i selinux-policy-targeted-sources-1.17.30-2.31.noarch.rpm happend during RPM install (afaik), but I did it anyway: # make -C /etc/selinux/targeted/src/policy load [...] # rpm -q -l postgresql-server | restorecon -R -n -f - # service postgresql restart # service httpd restart # ls -lZ /usr/bin/postgres -rwxr-xr-x root root system_u:object_r:bin_t /usr/bin/postgres --> and, of course, it did not work :-) Now, what I did is this: instead of restorecon -R -n, I tried # rpm -q -l postgresql-server | restorecon -R -f - # ls -lZ /usr/bin/postgres -rwxr-xr-x root root system_u:object_r:postgresql_exec_t /usr/bin/postgres and this did seem to work! Just to be on the safe side, I also did: # rpm -q -l php | restorecon -R -f - # rpm -q -l php-pgsql | restorecon -R -f - # rpm -q -l postgresql | restorecon -R -f - # rpm -q -l httpd | restorecon -R -f - Now it seems to work a little bit better. Instead of the denied "connectto" I get an avc: denied { write } for pid=3091 exe=/usr/sbin/httpd name=.s.PGSQL.5432 dev=hda3 ino=22635 scontext=root:system_r:httpd_t tcontext=root:object_r:postgresql_tmp_t tclass=sock_file I am sorry, I am such an idiot, restorecon -n tells it not to make the change. I should have typed restorecon -v. Could you do a setenforce 0 and try to access the database. Dan Sorry, unfortunately I'm in GMT+1 (Germany) and my FC3 installation is in the office (and I alread left the office). So I can't test it right now but it'll be the first thing I'll do monday morning. I just had a chance to try it, so here's the result: using setenforce 0 (of course) leads to a successful conntect to the postgresql database. Here are the selinux messages that were spit out during that process: avc: denied { write } for pid=2821 exe=/usr/sbin/httpd name=.s.PGSQL.5432 dev=hda3 ino=22635 scontext=root:system_r:httpd_t tcontext=root:object_r:postgresql_tmp_t tclass=sock_file avc: denied { connectto } for pid=2821 exe=/usr/sbin/httpd path=/tmp/.s.PGSQL.5432 scontext=root:system_r:httpd_t tcontext=root:system_r:postgresql_t tclass=unix_stream_socket I'm an absolute newbie to this selinux stuff, but after changing line 297 of your apache.te from allow httpd_t tmp_t:sock_file rw_file_perms; to allow httpd_t postgresql_tmp_t:sock_file rw_file_perms; at least the first message disappeard again ("denied { write }"). I guess that there should be somewhere an assignment that says that postgresql_tmp_t is of type tmp_t. When I also add the following line, everything works fine: allow httpd_t postgresql_t:unix_stream_socket { connectto }; Hope this helps. Fixed in policy-1.19.4-1 Confirmed fixed in (at least) selinux-policy-targeted-1.17.30-2.60 An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2005-251.html |