Description of problem: Httpd can no longer connect to Postgresql. I have a CGI script labeled with type httpd_script_exec_t. In the past, this was enough to let httpd connect to postgresql database (Fedora < 16). Right now, the labeling of the file is not enough. Here is some additional information: # getsebool -a | grep httpd |grep " --> on" httpd_builtin_scripting --> on httpd_can_network_connect --> on httpd_can_network_connect_db --> on httpd_can_sendmail --> on httpd_enable_cgi --> on httpd_graceful_shutdown --> on In addition to the above, the following test policies were loaded (the first one generated from audit2allow, the second one from bug #830764): <<< policy local >>> module local 1.0; require { type httpd_sys_script_t; type postgresql_var_run_t; class dir search; } #============= httpd_sys_script_t ============== #!!!! This avc is allowed in the current policy allow httpd_sys_script_t postgresql_var_run_t:dir search; <<< policy postgresql_httpd >>> module httpd_postgresql 1.0; require { class sock_file write; type httpd_t; type postgresql_tmp_t; }; allow httpd_t postgresql_tmp_t:sock_file write; Version-Release number of selected component (if applicable): libmicrohttpd-0.9.22-1.fc18.x86_64 httpd-2.4.3-12.fc18.x86_64 httpd-tools-2.4.3-12.fc18.x86_64 postgresql-pgpool-II-devel-3.2.0-1.fc18.x86_64 postgresql-plruby-doc-0.5.3-7.fc18.x86_64 postgresql-pltcl-9.2.2-1.fc18.x86_64 postgresql-contrib-9.2.2-1.fc18.x86_64 postgresql-libs-9.2.2-1.fc18.x86_64 postgresql-dbi-link-2.0.0-8.fc18.noarch postgresql-odbc-09.01.0200-1.fc18.x86_64 postgresql-devel-9.2.2-1.fc18.x86_64 postgresql-9.2.2-1.fc18.x86_64 postgresql-pgpool-II-3.2.0-1.fc18.x86_64 postgresql-plperl-9.2.2-1.fc18.x86_64 postgresql-server-9.2.2-1.fc18.x86_64 postgresql-plparrot-0.05-2.fc18.x86_64 postgresql-jdbc-9.2.1002-1.fc18.noarch postgresql-table_log-0.4.4-12.fc18.x86_64 qt-postgresql-4.8.4-6.fc18.x86_64 postgresql-plpython-9.2.2-1.fc18.x86_64 postgresql-plruby-0.5.3-7.fc18.x86_64 postgresql_autodoc-1.40-2.fc14.noarch postgresql-upgrade-9.2.2-1.fc18.x86_64 postgresql-pgpoolAdmin-3.1.1-2.fc18.noarch postgresql-docs-9.2.2-1.fc18.x86_64 postgresql-pgpool-II-recovery-3.2.0-1.fc18.x86_64 postgresql-ip4r-1.05-4.fc18.x86_64 selinux-policy-devel-3.11.1-73.fc18.noarch selinux-policy-3.11.1-73.fc18.noarch selinux-policy-doc-3.11.1-73.fc18.noarch selinux-policy-targeted-3.11.1-73.fc18.noarch How reproducible: Always Steps to Reproduce: 1. Create a cgi script that connects to postgresql (any will do) 2. Change context to httpd_sys_script_exec_t 3. Access the script from outside Actual results: The following AVC messages are generated: type=SYSCALL msg=audit(1360333256.583:31686): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=25fe8a0 a2=6e a3=7fffc346b2b0 items=0 ppid=27429 pid=30242 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm="rv.cgi" exe="/var/www/html/rv/ws/rv.cgi" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null) (not fixed) type=AVC msg=audit(1360333256.583:31686): avc: denied { search } for pid=30242 comm="rv.cgi" name="postgresql" dev="tmpfs" ino=15079 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:postgresql_var_run_t:s0 tclass=dir (fixed with the local policy) Expected results: No AVC messages, the script should be allowed to connect to the database after all of the above set up. Additional info: I think this is a SeLinux policy problem since changing the script type to httpd_unconfined_script_exec_t did fix the problem.
The httpd_selinux man page implies that the httpd_can_network_connect_db boolean should enable database access from CGI scripts; a policy bug?
Yes, it looks so. It should work.
a87c91b29ca422b6fe0465f85fb03fbb0a93bd8d fixes this in Rawhide.
How can I test this? I think this is a problem with the Postgres socket connection. I am not completely sure, though, and I don't know how can I debug this. Please tell me if any additional information is needed.
Backported to F18. A new F18 build is coming these days.
selinux-policy-3.11.1-82.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-82.fc18
Package selinux-policy-3.11.1-82.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-82.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-3309/selinux-policy-3.11.1-82.fc18 then log in and leave karma (feedback).
selinux-policy-3.11.1-82.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
Problem fixed. Thank you for the prompt reaction.