Bug 186364 - Apache cannot connect to PostgreSQL via Unix domain socket
Summary: Apache cannot connect to PostgreSQL via Unix domain socket
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 5
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: James Antill
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-03-23 06:35 UTC by Bojan Smojver
Modified: 2007-11-30 22:11 UTC (History)
0 users

Fixed In Version: 2.2.32-1.FC5
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-05-09 05:49:44 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Bojan Smojver 2006-03-23 06:35:15 UTC 
Description of problem:
When running under SELinux, Apache cannot connect to the unix domain socket
PostgreSQL runs on. Audit log shows:

-----------------------------
type=AVC msg=audit(1143093783.650:30266): avc:  denied  { write } for  pid=29561
comm="httpd" name=".s.PGSQL.5432" dev=dm-0 ino=192011
scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:postgresql_tmp_t:s0
tclass=sock_file
type=SYSCALL msg=audit(1143093783.650:30266): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bfd74d90 a2=e49374 a3=982ae50 items=1 pid=29561
auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48
comm="httpd" exe="/usr/sbin/httpd"
type=SOCKADDR msg=audit(1143093783.650:30266):
saddr=01002F746D702F2E732E504753514C2E35343332000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
type=SOCKETCALL msg=audit(1143093783.650:30266): nargs=3 a0=19 a1=9854df8 a2=6e
type=PATH msg=audit(1143093783.650:30266): item=0 flags=1  inode=192011
dev=fd:00 mode=0140777 ouid=26 ogid=26 rdev=00:00
-----------------------------

Audit to allow claims that this is needed:

-----------------------------
allow httpd_t postgresql_tmp_t:sock_file write;
-----------------------------


Version-Release number of selected component (if applicable):
2.2.25-2.fc5

How reproducible:
Always.

Steps to Reproduce:
1. Run PHP inside Apache and try to connect to PGSQL on unix socket.
  

Actual results:
Connection fails.

Expected results:
This should always work.

Additional info:
This is with the latest testing update and released targeted policy as well.
Comment 1 Toshio Kuratomi 2006-03-23 18:04:36 UTC 
It can't connect via tcp/ip either:

type=AVC msg=audit(1143135487.766:3105): avc:  denied  { name_connect } for 
pid=23358 comm="httpd" dest=5432 scontext=user_u:system_r:httpd_t:s0
tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1143135487.766:3105): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf858aa0 a2=40d374 a3=a3a3d38 items=0 pid=23358
auid=1006 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48
comm="httpd" exe="/usr/sbin/httpd"
type=SOCKADDR msg=audit(1143135487.766:3105): saddr=020015387F0000010000000000000000
type=SOCKETCALL msg=audit(1143135487.766:3105): nargs=3 a0=13 a1=a3a3d58 a2=10
type=AVC msg=audit(1143135582.234:3106): avc:  denied  { name_connect } for 
pid=23362 comm="httpd" dest=5432 scontext=user_u:system_r:httpd_t:s0
tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket
Comment 2 Bojan Smojver 2006-03-23 21:25:26 UTC 
In relation to comment #1, have you tried:

setsebool -P httpd_can_network_connect_db 1

or even

setsebool -P httpd_can_network_connect 1
Comment 3 Toshio Kuratomi 2006-03-23 22:21:09 UTC 
Does not work with httpd_can_connect_db
Does work with httpd_can_network_conect

Hmm... wait:
 a php script: db.php works with either bool set.
 a cgi-script, user_u:object_r:httpd_sys_script_exec_t, works only with
httpd_can_network_connect

Guess I learned something today.
Comment 4 Daniel Walsh 2006-04-03 16:57:01 UTC 
Bojan, a couple of questions?

Why is postgresql sock file in /tmp instead of /var/run.  If it was in /var/run
the domain socket would have worked?

Fixed  TOshio problem in selinux-policy-2.2.29-2.fc5
Comment 5 Bojan Smojver 2006-04-03 19:25:01 UTC 
I really don't know. Given this was an upgrade from FC4, I had to reload the
database from the dump file, so an initdb was done. At present, postmaster is
running like this:

/usr/bin/postmaster -p 5432 -D /var/lib/pgsql/data

In other words, whatever are the defaults in /etc/init.d/postgresql (this file
has not been changed - I ran rpm -V against it). The packages I have on are:

postgresql-libs-8.1.3-1
postgresql-8.1.3-1
postgresql-server-8.1.3-1

The manual for postmaster does say that by default unix domain socket file goes
into /tmp, and this can be changed at compile time. Maybe this particular binary
wasn't built properly or something...
Comment 6 Bojan Smojver 2006-04-05 00:09:44 UTC 
Just installed postgresql-server RPM from scratch on a different box. It most
definitely has the socket in the same place:

[root@itpi00 ~]# ls -l /tmp/.s.PGSQL.5432
srwxrwxrwx 1 postgres postgres 0 Apr  5 10:12 /tmp/.s.PGSQL.5432

Should it be in /var/run instead or something? Or should the policy be changed
to reflect postgresql-server package defaults?
Comment 7 Bojan Smojver 2006-04-10 22:14:16 UTC 
Should I do some more testing or supply more data? I'm not sure where we left
this...
Comment 8 Bojan Smojver 2006-04-12 01:16:06 UTC 
Same with 2.2.29-3.fc5.
Comment 9 Bojan Smojver 2006-04-12 01:49:08 UTC 
Workaround:

-----------------------------------------------
module httpd_postgresql 1.0;

require {
        class sock_file write;

        type httpd_t;
        type postgresql_tmp_t;
};

allow httpd_t postgresql_tmp_t:sock_file write;
-----------------------------------------------
Comment 10 Daniel Walsh 2006-04-14 13:21:28 UTC 
fixed in selinux-policy-2.2.32-1.FC5.
Comment 12 Bojan Smojver 2006-05-09 05:49:44 UTC 
Closing. This has been fixed.
Note You need to log in before you can comment on or make changes to this bug.