Bug 160975
Summary: | phpPgAdmin cannot connect to postgres | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Gérard Milmeister <gemi> |
Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 4 | CC: | arequipeno, tgl |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2005-06-29 15:05:45 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Gérard Milmeister
2005-06-19 12:12:37 UTC
This is certainly a httpd - postgres conflict, since the the Postgres module in Webmin doesn't work correctly either. What Postgres authorization method are you using, and is the connection being done through a Unix socket or over loopback IP? There is a report at bug #161383 that SELinux interferes with IDENT checking, but there is not enough information here for me to guess if it's the same issue. Here are the lines from pg_hba.conf: # "local" is for Unix domain socket connections only local all all ident sameuser # IPv4 local connections: host all all 127.0.0.1/32 md5 host all all 192.168.0.1/32 md5 # IPv6 local connections: host all all ::1/128 ident sameuser and here the configuration from phppgadmin: // Display name for the server on the login screen $conf['servers'][0]['desc'] = 'PostgreSQL'; // Hostname or IP address for server. Use '' for UNIX domain socket. $conf['servers'][0]['host'] = '192.168.0.1'; // Database port on server (5432 is the PostgreSQL default) $conf['servers'][0]['port'] = 5432; This would mean that connection is through 192.168.0.1, not the unix domain socket. The message from selinux is: Jun 23 20:49:50 scriabin kernel: audit(1119552590.703:4): avc: denied { name_connect } for pid=3260 comm="httpd" dest=5432 scontext=system_u:system_r:httpd_t tcontext=system_u:object_r:postgresql_port_t tclass=tcp_socket Note that I am able to log on to postgres using a password with: psql -h 192.168.0.1 That configuration will cause any request from 192.168.0.1 to use password authentication. (Keep in mind that PostgreSQL attempts to use the first authentication method that matches the request. If that fails, the connection is refused; PostgreSQL does not "fall back" to another method.) I'm no expert on SELinux, but it looks to me like the httpd process is being blocked from even opening a socket to the postmaster. I don't think that PostgreSQL ever even sees the connection attempt. If I'm correct, this is not a duplicate of #161383. I agree, it is not a dup given that kernel log message. I am recategorizing this as a SELinux policy bug --- Dan can bounce it back if he thinks differently. set the boolean setsebool -P httpd_can_network_connect=1 Ok, that does it. There is even an option in system-config-securitylevel. I would only this had been more obvious :-( man httpd_selinux mentions it. I am not sure where we could make it easier to discover. Sorry, Dan Set "Allow HTTPD scripts to connect to the network" in system-config-securitylevel and all is well now (selinux-policy-targeted-1.23.18-16). Shouldn't this be closed NOTABUG? (In reply to comment #8) > man httpd_selinux mentions it. I am not sure where we could make it easier to > discover. Dan, In order to consult the manpage, one must first know that it exists. I think, things like these should make it into the release notes. It is very common for LAMP applications to connect to the network. I use Linux since 1993 and I am not that unexperienced, a bug report like this shows, that there is some difficulty here, doesn't it? Yes SELinux is a different kind of technology, in that it does not allow all operations of a product to easily work. Their is information in the Release Notes about SELinux, but it could probably be documented better. Dan |