Clodoaldo Pinto wrote:
> 2006/7/4, Paul Howarth <paul@city-fan.org>:
>> On Mon, 2006-07-03 at 18:35 -0300, Clodoaldo Pinto wrote:
>> > FC5 SELinux prevents php from connecting to postgresql.
>> >
>> > I had a hard time trying to figure out why I could not connect from
>> > php to postgres locally in a new and patched FC5 box, although I could
>> > connect to that same postgres server and with the same user from
>> > another box (FC3).
>> >
>> > >From /var/log/messages:
>> >
>> > kernel: audit(1151945653.900:39): avc: denied { name_connect } for
>> > pid=17167 comm="httpd" dest=5432 scontext=user_u:system_r:httpd_t:s0
>> > tcontext=system_u:object_r
ostgresql_port_t:s0 tclass=tcp_socket
>>
>> Try:
>> # setsebool -P httpd_can_network_connect_db 1
>
> Thank you Paul. I had already solved it when I posted using the
> instructions here:
> http://fedora.redhat.com/docs/selinu...fc5/#id2961385
That's a general technique applicable to just about all SELinux issues.
Some of the more common ones, such as connecting to databases over the
network, can be addressed by setting booleans as it's already catered
for in the policy.
> Your suggestion seems much simpler. Is it permanent?
Yes, the "-P" option is for a permanent change.
> Where can a SEBolls list be found?
Some are documented in the manpage "httpd_selinux". You can get a full
list using:
# getsebool -a
> I just posted this to alert others who could fall in the same problem.
> BTW, why is httpd prevented to connect to postgres (the only db I
> tested until now) as default? Is it a bug?
No, it's not a bug. The default SELinux policy locks down the web server
to allow just basic operation, with additional features (such as
scripting, making outgoing network connections, connecting to databases
etc.) being enabled by setting booleans. This is just good security
practice.
Paul.
--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe:
https://www.redhat.com/mailman/listinfo/fedora-list
Linear Mode
