Bug 139895 - httpd cannot connect to postgresql database using sockets
Summary: httpd cannot connect to postgresql database using sockets
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
(Show other bugs)
Version: 3
Hardware: i386 Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2004-11-18 17:56 UTC by Johannes Schmid
Modified: 2007-11-30 22:10 UTC (History)
0 users

Fixed In Version: RHBA-2005-251
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-04-11 21:50:55 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2005:251 low SHIPPED_LIVE selinux-policy-targeted bug fix update 2005-06-09 04:00:00 UTC

Description Johannes Schmid 2004-11-18 17:56:03 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3)

Description of problem:
When using PHP and using the pg_pconnect function to connect to a
PostgreSQL database without specifying a host (thus using a socket for
the connection), the current selinux targeted policy denies access to
this socket.

I tested both the policy that comes with FC3 and the latest version I
downloaded from ftp://people.redhat.com/dwalsh/SELinux/FC3

The audit message I get is:
avc:  denied  { connectto } for  pid=2244 exe=/usr/sbin/httpd
path=/tmp/.s.PGSQL.5432 scontext=user_u:system_r:httpd_t
tcontext=user_u:system_r:unconfined_t tclass=unix_stream_socket

The PHP script used for testing is:

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. create a postgresql database test
2. execute above php script

Actual Results:  access to database is denied; PHP error message is:
pg_pconnect(): Unable to connect to PostgreSQL server: could not
connect to server: Is the server running locally and accepting
connections on Unix domain socket "/tmp/.s.PGSQL.5432"?

Expected Results:  a successful connection to postgresql server

Comment 1 Daniel Walsh 2004-11-18 18:28:08 UTC
Try rpm -q -l postgresql | restorecon -R -n -f -
service postgresql service
service httpd restart

Comment 2 Johannes Schmid 2004-11-18 18:40:03 UTC
although I totally forgot to do that (shame on me), it has no effect.

I still get the exact same error.

I additionally tried an
  restorecon -R /tmp
(as that's where the socket is located, just to make sure). Still the
same error.

Comment 3 Daniel Walsh 2004-11-18 18:54:43 UTC
Can you show me 

ls -lZ /usr/bin/postgres


ps -eZ | grep postgres

Comment 4 Daniel Walsh 2004-11-18 19:41:11 UTC
My mistake, I just tried this on FC3 with 2.31 and it seems to work.

rpm -q -l postgresql-server | restorecon -R -n -f -
service postgresql service
service httpd restart

Comment 5 Johannes Schmid 2004-11-19 10:14:46 UTC
I just tried to do the same, but it still does not work. Still getting

avc: denied { connectto } for  pid=2995 exe=/usr/sbin/httpd
path=/tmp/.s.PGSQL.5432 scontext=root:system_r:httpd_t
tcontext=root:system_r:unconfined_t tclass=unix_stream_socket

after doing

rpm -q -l postgresql-server | restorecon -R -n -f -
service postgresql restart
service httpd restart

# ls -lZ /usr/bin/postgresq
-rwxr-xr-x  root   root   system_u:object_r:bin_t    /usr/bin/postgres

# ps aeZ |grep postgres
root:system_r:unconfined_t       2966 pts/0    S      0:00
   /usr/bin/postmaster -p 5432 -D /var/lib/pgsql/data [...]
root:system_r:unconfined_t       2968 pts/0    S      0:00
   postgres: stats buffer process
root:system_r:unconfined_t       2969 pts/0    S      0:00
   postgres: stats collector process
root:system_r:unconfined_t       3005 pts/0    S      0:00
   postgres: apache test idle

I hope this helps :)

Comment 6 Daniel Walsh 2004-11-19 14:17:34 UTC
That makes no sence.

If you have selinux-policy-targeted-1.17.30-2.31 installed

/usr/bin/postgress should be system_u:object_r:postgresql_exec_t

Do you have selinux-policy-targeted-sources-1.17.30-2.31 installed?

If so could you do a 

make -C /etc/selinux/targeted/src/policy load

Then try the restorecon stuff?

Comment 7 Johannes Schmid 2004-11-19 16:22:37 UTC
# rpm -q selinux-policy-targeted

# rpm -i selinux-policy-targeted-sources-1.17.30-2.31.noarch.rpm

happend during RPM install (afaik), but I did it anyway:
# make -C /etc/selinux/targeted/src/policy load

# rpm -q -l postgresql-server | restorecon -R -n -f -
# service postgresql restart
# service httpd restart

# ls -lZ /usr/bin/postgres
-rwxr-xr-x  root   root   system_u:object_r:bin_t   /usr/bin/postgres

--> and, of course, it did not work :-)

Now, what I did is this: instead of restorecon -R -n, I tried
# rpm -q -l postgresql-server | restorecon -R -f -
# ls -lZ /usr/bin/postgres
-rwxr-xr-x  root     root     system_u:object_r:postgresql_exec_t

and this did seem to work!

Just to be on the safe side, I also did:
# rpm -q -l php | restorecon -R -f -
# rpm -q -l php-pgsql | restorecon -R -f -
# rpm -q -l postgresql | restorecon -R -f -
# rpm -q -l httpd | restorecon -R -f -

Now it seems to work a little bit better. Instead of the denied
"connectto" I get an

avc:  denied  { write } for  pid=3091 exe=/usr/sbin/httpd
name=.s.PGSQL.5432 dev=hda3 ino=22635 scontext=root:system_r:httpd_t
tcontext=root:object_r:postgresql_tmp_t tclass=sock_file

Comment 8 Daniel Walsh 2004-11-19 16:43:43 UTC
I am sorry, I am such an idiot, restorecon -n tells it not to make the
change.  I should have typed 
restorecon -v.

Could you do a setenforce 0 and try to access the database.


Comment 9 Johannes Schmid 2004-11-19 20:33:14 UTC
Sorry, unfortunately I'm in GMT+1 (Germany) and my FC3 installation is
in the office (and I alread left the office). So I can't test it right
now but it'll be the first thing I'll do monday morning.

Comment 10 Johannes Schmid 2004-11-20 20:50:07 UTC
I just had a chance to try it, so here's the result:

using setenforce 0 (of course) leads to a successful conntect to the
postgresql database.

Here are the selinux messages that were spit out during that process:
avc:  denied  { write } for  pid=2821 exe=/usr/sbin/httpd
name=.s.PGSQL.5432 dev=hda3 ino=22635 scontext=root:system_r:httpd_t
tcontext=root:object_r:postgresql_tmp_t tclass=sock_file
avc:  denied  { connectto } for  pid=2821 exe=/usr/sbin/httpd
path=/tmp/.s.PGSQL.5432 scontext=root:system_r:httpd_t
tcontext=root:system_r:postgresql_t tclass=unix_stream_socket

I'm an absolute newbie to this selinux stuff, but after changing line
297 of your apache.te from
allow httpd_t tmp_t:sock_file rw_file_perms;
allow httpd_t postgresql_tmp_t:sock_file rw_file_perms;
at least the first message disappeard again ("denied { write }").

I guess that there should be somewhere an assignment that says that
postgresql_tmp_t is of type tmp_t.

When I also add the following line, everything works fine:
allow httpd_t postgresql_t:unix_stream_socket { connectto };

Hope this helps.

Comment 11 Daniel Walsh 2004-11-21 04:17:43 UTC
Fixed in policy-1.19.4-1

Comment 12 Phil Anderson 2004-12-23 13:06:39 UTC
Confirmed fixed in (at least) selinux-policy-targeted-1.17.30-2.60

Comment 13 Tim Powers 2005-06-09 13:05:53 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.