postgresql with httpd and dotclear

Kohei KaiGai kaigai at ak.jp.nec.com
Wed Feb 6 01:02:03 UTC 2008 

KH KH wrote:
> 2008/2/5, KaiGai Kohei <kaigai at ak.jp.nec.com>:
>> Nicolas Chauvet wrote:
>>> Hello !
>>>
>>> I try to use apache and postgresql with the dotclear blog engine.
>>> When I try to enter the database information from the admin config
>>> wizard within the browser,  have a selinux denial :
>>>
>>> audit(1202182131.382:34): avc:  denied  { name_connect } for  pid=2604
>>> comm="httpd" dest=5432 scontext=system_u:system_r:httpd_t:s0
>>> tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket
>>>
>>> [root at haderach ~]# ls -Z /home/www/
>>> drwxr-xr-x  root root system_u:object_r:httpd_sys_content_t:s0 dotclear
>>>
>>> [root at haderach ~]# rpm -q sepostgresql
>>> sepostgresql-8.2.6-1.158.fc8
>>> selinux-policy-3.0.8-81.fc8
>>> selinux-policy-targeted-3.0.8-81.fc8
>>>
>>> [root at haderach data]# semodule -l |grep postgre
>>> sepostgresql    1.158
>> Can the following command help you?
>>
>> # setsebool -P httpd_can_network_connect_db=1
>>
> I does: the error disappeared, but i have another:
> from /var/log/sepostgresql.log
> FATAL:  sepgsql_system_getpeercon(734): 'user_u:user_r:user_t' is not
> a valid context

I guess you try to connect SE-PostgreSQL runnung on another host without
any labeled networking configuration.
SE-PostgreSQL tries to apply fallbacked security context when it cannot
obtain peer's context. The 'user_u:user_r:user_t' is default fallbacked
context.

Please confirm whether mcstransd is running, or not.
If not running, please start it.

> I have also noticed an error in the same log file:
> LOG:  could not open directory "/usr/share/sepgsql/timezone": File or
> directory doens't exist
> Where i've made a ln -s timezoneset /usr/share/sepgsql/timezone.

It seems to me packageing error. I'll fix soon.

> About phpPgAdmin: now i can connect but i have this all the time:
> --------------
> ERROR:  SELinux: denied { set_param }
> scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:sepgsql_db_t:s0 tclass=db_database
> name=dotclear
> STATEMENT:  set datestyle='ISO'
> --------------

The default security policy for SE-PostgreSQL does not allow to execute
"SET ..." statement by non-administratvie users.
However, it might not be a appropriate policy. I'll update this part of
policy on the next update. please wait for some days.

> Seems related to the command used to set the passwd ?!
> psql -d dotclear -c "alter user dotclear with password 'my_passwd'"
> I have used that previously from a wiki, without noticing well what
> means templates1:
> psql -d template1 -c "alter user dotclear with password 'my_passwd'"
> and the same error sometimes appears with template1 instead of dotclear

Is it really same errors?
tuple:{update} on sepgsql_sysobj_t should be evaluated with ALTER USER statement.

If you want non-administrative users to execute the statement,
"sepgsql_enable_users_ddl" boolean should be turned on.

Thanks,

>>> On the other hand, when i try to use phpPgAdmin, it works. But i need to
>>> change: /var/lib/pgsql/data/pg_hba.conf from ident sameuser to
>>> md5.(tryed the same for dotclear without sucess).
> Was /var/lib/sepgsql/data/pg_hba.conf from the above

-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai at ak.jp.nec.com>

More information about the fedora-selinux-list mailing list