Description of problem: When running under SELinux, Apache cannot connect to the unix domain socket PostgreSQL runs on. Audit log shows: ----------------------------- type=AVC msg=audit(1143093783.650:30266): avc: denied { write } for pid=29561 comm="httpd" name=".s.PGSQL.5432" dev=dm-0 ino=192011 scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:postgresql_tmp_t:s0 tclass=sock_file type=SYSCALL msg=audit(1143093783.650:30266): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfd74d90 a2=e49374 a3=982ae50 items=1 pid=29561 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 comm="httpd" exe="/usr/sbin/httpd" type=SOCKADDR msg=audit(1143093783.650:30266): saddr=01002F746D702F2E732E504753514C2E35343332000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 type=SOCKETCALL msg=audit(1143093783.650:30266): nargs=3 a0=19 a1=9854df8 a2=6e type=PATH msg=audit(1143093783.650:30266): item=0 flags=1 inode=192011 dev=fd:00 mode=0140777 ouid=26 ogid=26 rdev=00:00 ----------------------------- Audit to allow claims that this is needed: ----------------------------- allow httpd_t postgresql_tmp_t:sock_file write; ----------------------------- Version-Release number of selected component (if applicable): 2.2.25-2.fc5 How reproducible: Always. Steps to Reproduce: 1. Run PHP inside Apache and try to connect to PGSQL on unix socket. Actual results: Connection fails. Expected results: This should always work. Additional info: This is with the latest testing update and released targeted policy as well.
It can't connect via tcp/ip either: type=AVC msg=audit(1143135487.766:3105): avc: denied { name_connect } for pid=23358 comm="httpd" dest=5432 scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1143135487.766:3105): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf858aa0 a2=40d374 a3=a3a3d38 items=0 pid=23358 auid=1006 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 comm="httpd" exe="/usr/sbin/httpd" type=SOCKADDR msg=audit(1143135487.766:3105): saddr=020015387F0000010000000000000000 type=SOCKETCALL msg=audit(1143135487.766:3105): nargs=3 a0=13 a1=a3a3d58 a2=10 type=AVC msg=audit(1143135582.234:3106): avc: denied { name_connect } for pid=23362 comm="httpd" dest=5432 scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket
In relation to comment #1, have you tried: setsebool -P httpd_can_network_connect_db 1 or even setsebool -P httpd_can_network_connect 1
Does not work with httpd_can_connect_db Does work with httpd_can_network_conect Hmm... wait: a php script: db.php works with either bool set. a cgi-script, user_u:object_r:httpd_sys_script_exec_t, works only with httpd_can_network_connect Guess I learned something today.
Bojan, a couple of questions? Why is postgresql sock file in /tmp instead of /var/run. If it was in /var/run the domain socket would have worked? Fixed TOshio problem in selinux-policy-2.2.29-2.fc5
I really don't know. Given this was an upgrade from FC4, I had to reload the database from the dump file, so an initdb was done. At present, postmaster is running like this: /usr/bin/postmaster -p 5432 -D /var/lib/pgsql/data In other words, whatever are the defaults in /etc/init.d/postgresql (this file has not been changed - I ran rpm -V against it). The packages I have on are: postgresql-libs-8.1.3-1 postgresql-8.1.3-1 postgresql-server-8.1.3-1 The manual for postmaster does say that by default unix domain socket file goes into /tmp, and this can be changed at compile time. Maybe this particular binary wasn't built properly or something...
Just installed postgresql-server RPM from scratch on a different box. It most definitely has the socket in the same place: [root@itpi00 ~]# ls -l /tmp/.s.PGSQL.5432 srwxrwxrwx 1 postgres postgres 0 Apr 5 10:12 /tmp/.s.PGSQL.5432 Should it be in /var/run instead or something? Or should the policy be changed to reflect postgresql-server package defaults?
Should I do some more testing or supply more data? I'm not sure where we left this...
Same with 2.2.29-3.fc5.
Workaround: ----------------------------------------------- module httpd_postgresql 1.0; require { class sock_file write; type httpd_t; type postgresql_tmp_t; }; allow httpd_t postgresql_tmp_t:sock_file write; -----------------------------------------------
fixed in selinux-policy-2.2.32-1.FC5.
Closing. This has been fixed.