Bug 160975 - phpPgAdmin cannot connect to postgres
phpPgAdmin cannot connect to postgres
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
4
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-06-19 08:12 EDT by Gérard Milmeister
Modified: 2007-11-30 17:11 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-06-29 11:05:45 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Gérard Milmeister 2005-06-19 08:12:37 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050513 Galeon/1.3.21

Description of problem:
If SELinux is set to enforce, phpPgAdmin (PHP, httpd) cannot connect to Postgres. As soon as enforce is set to false, it works without problems.

Version-Release number of selected component (if applicable):
postgresql-8.0.3-1

How reproducible:
Always

Steps to Reproduce:
 

Additional info:
Comment 1 Gérard Milmeister 2005-06-19 09:26:32 EDT
This is certainly a httpd - postgres conflict, since the the Postgres module in
Webmin doesn't work correctly either.
Comment 2 Tom Lane 2005-06-23 14:21:26 EDT
What Postgres authorization method are you using, and is the connection being
done through a Unix socket or over loopback IP?

There is a report at bug #161383 that SELinux interferes with IDENT checking,
but there is not enough information here for me to guess if it's the same issue.
Comment 3 Gérard Milmeister 2005-06-23 14:53:27 EDT
Here are the lines from pg_hba.conf:
# "local" is for Unix domain socket connections only
local   all         all                               ident sameuser
# IPv4 local connections:
host    all         all         127.0.0.1/32          md5
host    all         all         192.168.0.1/32        md5
# IPv6 local connections:
host    all         all         ::1/128               ident sameuser

and here the configuration from phppgadmin:
// Display name for the server on the login screen
$conf['servers'][0]['desc'] = 'PostgreSQL';

// Hostname or IP address for server.  Use '' for UNIX domain socket.
$conf['servers'][0]['host'] = '192.168.0.1';

// Database port on server (5432 is the PostgreSQL default)
$conf['servers'][0]['port'] = 5432;

This would mean that connection is through 192.168.0.1, not the unix domain socket.

The message from selinux is:
Jun 23 20:49:50 scriabin kernel: audit(1119552590.703:4): avc:  denied  {
name_connect } for  pid=3260 comm="httpd" dest=5432
scontext=system_u:system_r:httpd_t tcontext=system_u:object_r:postgresql_port_t
tclass=tcp_socket

Note that I am able to log on to postgres using a password with:
psql -h 192.168.0.1
Comment 4 Ian Pilcher 2005-06-23 15:32:59 EDT
That configuration will cause any request from 192.168.0.1 to use password
authentication.  (Keep in mind that PostgreSQL attempts to use the first
authentication method that matches the request.  If that fails, the connection
is refused; PostgreSQL does not "fall back" to another method.)

I'm no expert on SELinux, but it looks to me like the httpd process is being
blocked from even opening a socket to the postmaster.  I don't think that
PostgreSQL ever even sees the connection attempt.

If I'm correct, this is not a duplicate of #161383.
Comment 5 Tom Lane 2005-06-23 15:37:07 EDT
I agree, it is not a dup given that kernel log message.  I am recategorizing
this as a SELinux policy bug --- Dan can bounce it back if he thinks
differently.
Comment 6 Daniel Walsh 2005-06-26 07:35:46 EDT
set the boolean 

setsebool -P httpd_can_network_connect=1
Comment 7 Gérard Milmeister 2005-06-26 08:25:53 EDT
Ok, that does it. There is even an option in system-config-securitylevel. I
would only this had been more obvious :-(
Comment 8 Daniel Walsh 2005-06-27 07:04:11 EDT
man httpd_selinux mentions it.  I am not sure where we could make it easier to
discover.

Sorry,

Dan
Comment 9 Ian Pilcher 2005-06-27 08:35:02 EDT
Set "Allow HTTPD scripts to connect to the network" in system-config-securitylevel
and all is well now (selinux-policy-targeted-1.23.18-16).  Shouldn't this be
closed NOTABUG?
Comment 10 Gérard Milmeister 2005-06-27 11:19:39 EDT
(In reply to comment #8)
> man httpd_selinux mentions it.  I am not sure where we could make it easier to
> discover.

Dan,
In order to consult the manpage, one must first know that it exists.
I think, things like these should make it into the release notes.
It is very common for LAMP applications to connect to the network.
I use Linux since 1993 and I am not that unexperienced, a bug report like this
shows, that there is some difficulty here, doesn't it?
Comment 11 Daniel Walsh 2005-06-29 11:05:45 EDT
Yes SELinux is a different kind of technology, in that it does not allow all
operations of a product to easily work.  Their is information in the Release
Notes about SELinux, but it could probably be documented better.

Dan

Note You need to log in before you can comment on or make changes to this bug.