Bug 160975

This is certainly a httpd - postgres conflict, since the the Postgres module in
Webmin doesn't work correctly either.

What Postgres authorization method are you using, and is the connection being
done through a Unix socket or over loopback IP?

There is a report at bug #161383 that SELinux interferes with IDENT checking,
but there is not enough information here for me to guess if it's the same issue.

Here are the lines from pg_hba.conf:
# "local" is for Unix domain socket connections only
local   all         all                               ident sameuser
# IPv4 local connections:
host    all         all         127.0.0.1/32          md5
host    all         all         192.168.0.1/32        md5
# IPv6 local connections:
host    all         all         ::1/128               ident sameuser

and here the configuration from phppgadmin:
// Display name for the server on the login screen
$conf['servers'][0]['desc'] = 'PostgreSQL';

// Hostname or IP address for server.  Use '' for UNIX domain socket.
$conf['servers'][0]['host'] = '192.168.0.1';

// Database port on server (5432 is the PostgreSQL default)
$conf['servers'][0]['port'] = 5432;

This would mean that connection is through 192.168.0.1, not the unix domain socket.

The message from selinux is:
Jun 23 20:49:50 scriabin kernel: audit(1119552590.703:4): avc:  denied  {
name_connect } for  pid=3260 comm="httpd" dest=5432
scontext=system_u:system_r:httpd_t tcontext=system_u:object_r:postgresql_port_t
tclass=tcp_socket

Note that I am able to log on to postgres using a password with:
psql -h 192.168.0.1

That configuration will cause any request from 192.168.0.1 to use password
authentication.  (Keep in mind that PostgreSQL attempts to use the first
authentication method that matches the request.  If that fails, the connection
is refused; PostgreSQL does not "fall back" to another method.)

I'm no expert on SELinux, but it looks to me like the httpd process is being
blocked from even opening a socket to the postmaster.  I don't think that
PostgreSQL ever even sees the connection attempt.

If I'm correct, this is not a duplicate of #161383.

I agree, it is not a dup given that kernel log message.  I am recategorizing
this as a SELinux policy bug --- Dan can bounce it back if he thinks
differently.

set the boolean 

setsebool -P httpd_can_network_connect=1

Ok, that does it. There is even an option in system-config-securitylevel. I
would only this had been more obvious :-(

man httpd_selinux mentions it.  I am not sure where we could make it easier to
discover.

Sorry,

Dan

Set "Allow HTTPD scripts to connect to the network" in system-config-securitylevel
and all is well now (selinux-policy-targeted-1.23.18-16).  Shouldn't this be
closed NOTABUG?

(In reply to comment #8)
> man httpd_selinux mentions it.  I am not sure where we could make it easier to
> discover.

Dan,
In order to consult the manpage, one must first know that it exists.
I think, things like these should make it into the release notes.
It is very common for LAMP applications to connect to the network.
I use Linux since 1993 and I am not that unexperienced, a bug report like this
shows, that there is some difficulty here, doesn't it?

Yes SELinux is a different kind of technology, in that it does not allow all
operations of a product to easily work.  Their is information in the Release
Notes about SELinux, but it could probably be documented better.

Dan