FedoraForum.org - Fedora Support Forums and Community
Results 1 to 5 of 5
  1. #1
    Join Date
    Oct 2017
    Location
    alaska
    Posts
    32

    Apache mod_php connection to PostgreSQL external database

    I am using Fedora's apache httpd, and I have the following packages installed.

    Code:
    [root@miel ~]# dnf list installed |  egrep "(apache|httpd|php|pdo|postgresql)"
    fedora-logos-httpd.noarch               26.0.1-1.fc26                  @fedora  
    httpd.x86_64                            2.4.29-1.fc26                  @updates 
    httpd-filesystem.noarch                 2.4.29-1.fc26                  @updates 
    httpd-tools.x86_64                      2.4.29-1.fc26                  @updates 
    php.x86_64                              7.1.11-1.fc26                  @updates 
    php-ZendFramework.noarch                1.12.20-2.fc26                 @fedora  
    php-ZendFramework-Db-Adapter-Pdo.noarch 1.12.20-2.fc26                 @fedora  
    php-ZendFramework-Db-Adapter-Pdo-Pgsql.noarch
    php-bcmath.x86_64                       7.1.11-1.fc26                  @updates 
    php-cli.x86_64                          7.1.11-1.fc26                  @updates 
    php-common.x86_64                       7.1.11-1.fc26                  @updates 
    php-json.x86_64                         7.1.11-1.fc26                  @updates 
    php-pdo.x86_64                          7.1.11-1.fc26                  @updates 
    php-pgsql.x86_64                        7.1.11-1.fc26                  @updates 
    php-process.x86_64                      7.1.11-1.fc26                  @updates 
    php-xml.x86_64                          7.1.11-1.fc26                  @updates 
    postgresql.x86_64                       9.6.5-1.fc26                   @updates 
    postgresql-libs.x86_64                  9.6.5-1.fc26                   @updates 
    python2-certbot-apache.noarch           0.19.0-1.fc26                  @updates 
    [root@miel ~]#
    There ought be two options to connect to an external PostgreSQL database from a php script on this web server, but they are silently failing with no output and no information for debugging in the web logs. I have used tcpdump and verified that no connection is being attempted from the web server to the database server. In the PDO case connection fails with a 500 error, which does not even show up in /var/log/httpd/access_log


    http://php.net/manual/en/ref.pdo-pgsql.connection.php
    Code:
    <?php
    $dbh = new PDO('pgsql:
         username=my_username;
         password=my_secret;
         host=mydatabase.example.org;
         sslmode=verify-full; ...'); // I actually need this option ...
    or
    http://php.net/manual/en/function.pg-connect.php
    Code:
    <?php
    $dbconn = pg_connect('user=my_username;
         password=my_secret;
         host=mydatabase.example.org;
         sslmode=verify-full; ...'); // I actually need this option ...
    I suspect an SELinux security issue because the following is suggested
    https://dwalsh.fedorapeople.org/SELi...d_selinux.html
    Code:
    setsebool -P httpd_can_network_connect_db 1
    setsebool -P httpd_can_network_connect 1
    ...
    Obviously there is more going on here than what is obvious at first glance.

    #1.) How can I get more useful information in the logs on this?

    #2.) Where is the official rather than personal documentation on Fedora's SELinux mandatory access control policy for httpd?

  2. #2
    Join Date
    Oct 2017
    Location
    alaska
    Posts
    32

    Unhappy Re: Apache mod_php connection to PostgreSQL external database

    It gets worse and worse. I kid you not.

    silent denials: https://access.redhat.com/documentat...silent_denials

    "In certain situations, AVC denials may not be logged when SELinux denies access. Applications and system library functions often probe for more access than required to perform their tasks. To maintain least privilege without filling audit logs with AVC denials for harmless application probing, the policy can silence AVC denials without allowing a permission by using dontaudit rules. These rules are common in standard policy. The downside of dontaudit is that, although SELinux denies access, denial messages are not logged, making troubleshooting more difficult."

    That aggressive, arrogant, 5E><-offender WONTFIX language. Then they suggest "temporarily"

    Code:
    ~]# semodule -DB
    Man, dude, bro, better read the "man" page before fooling around with this $#!+

  3. #3
    Join Date
    Oct 2017
    Location
    alaska
    Posts
    32

    Unhappy Re: Apache mod_php connection to PostgreSQL external database

    The exact denial message.

    Code:
    type=AVC msg=audit(1510252592.585:5535): avc:  denied  { net_admin } for  pid=8858 comm="httpd" capability=12  scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=0
    Why does apache httpd mod_php need CAP_NET_ADMIN to connect to an external PostgreSQL database?

    https://linux.die.net/man/7/capabilities

    Either httpd is asking for too much privilege or someone has locked down CAP_NET_ADMIN too tightly.

  4. #4
    Join Date
    Oct 2017
    Location
    alaska
    Posts
    32

    Re: Apache mod_php connection to PostgreSQL external database

    There are reasons, of course, to be very cautious about allowing web scripts to connect to external databases or other hosts for any reason at all, but the undocumented and unlogged SELinux denials are simply a denial of service, and do not really help with security.

    Meanwhile I have nginx running on the same server as my database, and I ought to be able to run php on nginx and connect to the database, and as far as the apache httpd goes, one workaround for my personal case may be to run another instance of PostgreSQL on the same server as my apache installation and configure some bi-di replication to the main database.

    Another workaround would be to use something like "stunnel" to forward a unix socket over an ssl-encrypted tunnel from the web server host to the postgresql database socket on the db server.

    All the same, I feel that the fiat assumption that the database server is running on the same machine as the web server is simply too strict, and I would like to minimize the amount of strange plumbing to connect to a database on a nearby server in that same network.

  5. #5
    Join Date
    Oct 2017
    Location
    alaska
    Posts
    32

    Re: Apache mod_php connection to PostgreSQL external database

    Root issue, somehow got edited away from the thread title, still UNSOLVED.

    Apache mod_php refuses OR IS NOT ALLOWED to connect to an external PostgreSQL database.

Similar Threads

  1. PostgreSQL Database Installation on Fedora 8
    By colin82 in forum Using Fedora
    Replies: 0
    Last Post: 16th March 2008, 06:36 AM
  2. mod_php missing
    By Staceman in forum Servers & Networking
    Replies: 1
    Last Post: 16th November 2006, 09:54 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •