Hide Forgot
Description of problem: Fedora 19 PostgreSQL 9.2.4 (installed from Fedora rpm, user postgres) PHP 5.5.4 (installed from Fedora rpm) Chrome 30.0.1599.101 Apache Web Server 2.4.6 (installed from Fedora rpm, user apache) I have been trying to execute the following script in my browser: <?php $pgsql = pg_connect("dbname=stats user=andrew"); if (!is_resource($pgsql)) { echo "Failed to connect to PostgreSQL"; } else { echo "success\n"; } ?> When SELinux is set to 'permissive', the script outputs 'success' to my browser window. When SELinux is set to 'enforcing', I see the following error in my browser window and in my http error_log: Warning: pg_connect(): Unable to connect to PostgreSQL server: could not connect to server: Permission denied Is the server running locally and accepting connections on Unix domain socket "/var/run/postgresql/.s.PGSQL.5432"? in /var/www/html/stats_drill/connectPgres.php on line 2 followed by the output 'Failed to connect to PostgreSQL' I get an SELinux Alert: SELinux is preventing /usr/sbin/httpd from 'connectto' accesses on the unix_stream_socket /run/postgresql/.s.PGSQL.5432. ***** Plugin catchall (100. confidence) suggests *************************** If you think that by default, httpd should be permitted access connectto on .s.PGSQL.5432 unix_stream_socket. then report this as an error. You can generate a local policy module to allow this access. Do Allow access now by executing: # grep httpd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp When I try to execute 'grep httpd /var/log/audit/audit.log | audit2allow -M mypol' as root, I get the message: compilation failed:[0D] sh: /usr/bin/checkmodule: No such file or directory[0D] That's all I know. :-) Thanks. SELinux is preventing /usr/sbin/httpd from 'connectto' accesses on the unix_stream_socket /run/postgresql/.s.PGSQL.5432. ***** Plugin catchall (100. confidence) suggests *************************** If cree que de manera predeterminada, httpd debería permitir acceso connectto sobre .s.PGSQL.5432 unix_stream_socket. Then debería reportar esto como un error. Puede generar un módulo de política local para permitir este acceso. Do permita el acceso momentáneamente executando: # grep httpd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 Target Objects /run/postgresql/.s.PGSQL.5432 [ unix_stream_socket ] Source httpd Source Path /usr/sbin/httpd Port <Desconocido> Host (removed) Source RPM Packages httpd-2.4.6-2.fc19.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-74.9.fc19.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 3.11.4-201.fc19.x86_64 #1 SMP Thu Oct 10 14:11:18 UTC 2013 x86_64 x86_64 Alert Count 47 First Seen 2013-10-22 17:15:29 EDT Last Seen 2013-10-23 18:32:33 EDT Local ID 739f583a-0a1b-4d6b-a24d-d0fd213a3cce Raw Audit Messages type=AVC msg=audit(1382567553.161:793): avc: denied { connectto } for pid=7953 comm="httpd" path="/run/postgresql/.s.PGSQL.5432" scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=SYSCALL msg=audit(1382567553.161:793): arch=x86_64 syscall=connect success=yes exit=0 a0=a a1=7fa2efe35c70 a2=6e a3=7fa2efe35c72 items=0 ppid=7951 pid=7953 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null) Hash: httpd,httpd_t,unconfined_t,unix_stream_socket,connectto Additional info: reporter: libreport-2.1.8 hashmarkername: setroubleshoot kernel: 3.11.4-201.fc19.x86_64 type: libreport
It looks you started postgresql by hand instead of using the unit file. You should start it using the unit file. Then you will end up with postgresql_t.