Bug 186364 - Apache cannot connect to PostgreSQL via Unix domain socket
Apache cannot connect to PostgreSQL via Unix domain socket
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: James Antill
Depends On:
  Show dependency treegraph
Reported: 2006-03-23 01:35 EST by Bojan Smojver
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version: 2.2.32-1.FC5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-05-09 01:49:44 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Bojan Smojver 2006-03-23 01:35:15 EST
Description of problem:
When running under SELinux, Apache cannot connect to the unix domain socket
PostgreSQL runs on. Audit log shows:

type=AVC msg=audit(1143093783.650:30266): avc:  denied  { write } for  pid=29561
comm="httpd" name=".s.PGSQL.5432" dev=dm-0 ino=192011
scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:postgresql_tmp_t:s0
type=SYSCALL msg=audit(1143093783.650:30266): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bfd74d90 a2=e49374 a3=982ae50 items=1 pid=29561
auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48
comm="httpd" exe="/usr/sbin/httpd"
type=SOCKADDR msg=audit(1143093783.650:30266):
type=SOCKETCALL msg=audit(1143093783.650:30266): nargs=3 a0=19 a1=9854df8 a2=6e
type=PATH msg=audit(1143093783.650:30266): item=0 flags=1  inode=192011
dev=fd:00 mode=0140777 ouid=26 ogid=26 rdev=00:00

Audit to allow claims that this is needed:

allow httpd_t postgresql_tmp_t:sock_file write;

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Run PHP inside Apache and try to connect to PGSQL on unix socket.

Actual results:
Connection fails.

Expected results:
This should always work.

Additional info:
This is with the latest testing update and released targeted policy as well.
Comment 1 Toshio Kuratomi 2006-03-23 13:04:36 EST
It can't connect via tcp/ip either:

type=AVC msg=audit(1143135487.766:3105): avc:  denied  { name_connect } for 
pid=23358 comm="httpd" dest=5432 scontext=user_u:system_r:httpd_t:s0
tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1143135487.766:3105): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf858aa0 a2=40d374 a3=a3a3d38 items=0 pid=23358
auid=1006 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48
comm="httpd" exe="/usr/sbin/httpd"
type=SOCKADDR msg=audit(1143135487.766:3105): saddr=020015387F0000010000000000000000
type=SOCKETCALL msg=audit(1143135487.766:3105): nargs=3 a0=13 a1=a3a3d58 a2=10
type=AVC msg=audit(1143135582.234:3106): avc:  denied  { name_connect } for 
pid=23362 comm="httpd" dest=5432 scontext=user_u:system_r:httpd_t:s0
tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket
Comment 2 Bojan Smojver 2006-03-23 16:25:26 EST
In relation to comment #1, have you tried:

setsebool -P httpd_can_network_connect_db 1

or even

setsebool -P httpd_can_network_connect 1
Comment 3 Toshio Kuratomi 2006-03-23 17:21:09 EST
Does not work with httpd_can_connect_db
Does work with httpd_can_network_conect

Hmm... wait:
 a php script: db.php works with either bool set.
 a cgi-script, user_u:object_r:httpd_sys_script_exec_t, works only with

Guess I learned something today.
Comment 4 Daniel Walsh 2006-04-03 12:57:01 EDT
Bojan, a couple of questions?

Why is postgresql sock file in /tmp instead of /var/run.  If it was in /var/run
the domain socket would have worked?

Fixed  TOshio problem in selinux-policy-2.2.29-2.fc5
Comment 5 Bojan Smojver 2006-04-03 15:25:01 EDT
I really don't know. Given this was an upgrade from FC4, I had to reload the
database from the dump file, so an initdb was done. At present, postmaster is
running like this:

/usr/bin/postmaster -p 5432 -D /var/lib/pgsql/data

In other words, whatever are the defaults in /etc/init.d/postgresql (this file
has not been changed - I ran rpm -V against it). The packages I have on are:


The manual for postmaster does say that by default unix domain socket file goes
into /tmp, and this can be changed at compile time. Maybe this particular binary
wasn't built properly or something...
Comment 6 Bojan Smojver 2006-04-04 20:09:44 EDT
Just installed postgresql-server RPM from scratch on a different box. It most
definitely has the socket in the same place:

[root@itpi00 ~]# ls -l /tmp/.s.PGSQL.5432
srwxrwxrwx 1 postgres postgres 0 Apr  5 10:12 /tmp/.s.PGSQL.5432

Should it be in /var/run instead or something? Or should the policy be changed
to reflect postgresql-server package defaults?
Comment 7 Bojan Smojver 2006-04-10 18:14:16 EDT
Should I do some more testing or supply more data? I'm not sure where we left
Comment 8 Bojan Smojver 2006-04-11 21:16:06 EDT
Same with 2.2.29-3.fc5.
Comment 9 Bojan Smojver 2006-04-11 21:49:08 EDT

module httpd_postgresql 1.0;

require {
        class sock_file write;

        type httpd_t;
        type postgresql_tmp_t;

allow httpd_t postgresql_tmp_t:sock_file write;
Comment 10 Daniel Walsh 2006-04-14 09:21:28 EDT
fixed in selinux-policy-2.2.32-1.FC5.
Comment 12 Bojan Smojver 2006-05-09 01:49:44 EDT
Closing. This has been fixed.

Note You need to log in before you can comment on or make changes to this bug.