postgresql with httpd and dotclear

KH KH kwizart at gmail.com
Wed Feb 6 12:23:56 UTC 2008 

2008/2/6, Kohei KaiGai <kaigai at ak.jp.nec.com>:
> KH KH wrote:
> > 2008/2/5, KaiGai Kohei <kaigai at ak.jp.nec.com>:
> >> Nicolas Chauvet wrote:
> >>> Hello !
> >>>
> >>> I try to use apache and postgresql with the dotclear blog engine.
> >>> When I try to enter the database information from the admin config
> >>> wizard within the browser,  have a selinux denial :
> >>>
> >>> audit(1202182131.382:34): avc:  denied  { name_connect } for  pid=2604
> >>> comm="httpd" dest=5432 scontext=system_u:system_r:httpd_t:s0
> >>> tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket
> >>>
> >>> [root at haderach ~]# ls -Z /home/www/
> >>> drwxr-xr-x  root root system_u:object_r:httpd_sys_content_t:s0 dotclear
> >>>
> >>> [root at haderach ~]# rpm -q sepostgresql
> >>> sepostgresql-8.2.6-1.158.fc8
> >>> selinux-policy-3.0.8-81.fc8
> >>> selinux-policy-targeted-3.0.8-81.fc8
> >>>
> >>> [root at haderach data]# semodule -l |grep postgre
> >>> sepostgresql    1.158
> >> Can the following command help you?
> >>
> >> # setsebool -P httpd_can_network_connect_db=1
> >>
> > I does: the error disappeared, but i have another:
> > from /var/log/sepostgresql.log
> > FATAL:  sepgsql_system_getpeercon(734): 'user_u:user_r:user_t' is not
> > a valid context
>
> I guess you try to connect SE-PostgreSQL runnung on another host without
> any labeled networking configuration.
> SE-PostgreSQL tries to apply fallbacked security context when it cannot
> obtain peer's context. The 'user_u:user_r:user_t' is default fallbacked
> context.
>
> Please confirm whether mcstransd is running, or not.
> If not running, please start it.
mcstans installed and started, this solved many problems.
Actually i'm running SE-PostgreSQL on my server host with phpPgAdmin
on the same host but browsed from my workstation.

Now i can enter the parameters from the database and setup my blog engine, thx.
It remains some Selinux denials with sendmail (dotclear want to send a
mail to the admin of the blog engine and with phpPgAdmin

Selinux denials with sendmail:
-------------------
audit(1202299741.450:42): avc:  denied  { search } for  pid=12667
comm="sendmail" name="mail" dev=sda6 ino=1573785
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:etc_mail_t:s0 tclass=dir
audit(1202299741.450:43): avc:  denied  { search } for  pid=12667
comm="sendmail" name="mail" dev=sda6 ino=1573785
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:etc_mail_t:s0 tclass=dir
audit(1202299741.451:44): avc:  denied  { getattr } for  pid=12667
comm="sendmail" path="/etc/mail" dev=sda6 ino=1573785
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:etc_mail_t:s0 tclass=dir
-------------------

> > I have also noticed an error in the same log file:
> > LOG:  could not open directory "/usr/share/sepgsql/timezone": File or
> > directory doens't exist
> > Where i've made a ln -s timezoneset /usr/share/sepgsql/timezone.
>
> It seems to me packageing error. I'll fix soon.
>
> > About phpPgAdmin: now i can connect but i have this all the time:
> > --------------
> > ERROR:  SELinux: denied { set_param }
> > scontext=system_u:system_r:httpd_t:s0
> > tcontext=system_u:object_r:sepgsql_db_t:s0 tclass=db_database
> > name=dotclear
> > STATEMENT:  set datestyle='ISO'
> > --------------
>
> The default security policy for SE-PostgreSQL does not allow to execute
> "SET ..." statement by non-administratvie users.
> However, it might not be a appropriate policy. I'll update this part of
> policy on the next update. please wait for some days.
>
> > Seems related to the command used to set the passwd ?!
> > psql -d dotclear -c "alter user dotclear with password 'my_passwd'"
> > I have used that previously from a wiki, without noticing well what
> > means templates1:
> > psql -d template1 -c "alter user dotclear with password 'my_passwd'"
> > and the same error sometimes appears with template1 instead of dotclear
>
> Is it really same errors?
This error also appears all the time with phpPgAdmin but with a
different name={dotclear,template1} . The second one appears when I
want to delete a unused database:
-------------------------
Erreur SQL :

ERROR:  SELinux: denied { set_param }
scontext=system_u:system_r:httpd_t
tcontext=system_u:object_r:sepgsql_db_t tclass=db_database
name=template1

Dans l'instruction :
set datestyle='ISO'
-------------------------
Erreur SQL :

ERROR:  SELinux: denied { drop } scontext=system_u:system_r:httpd_t
tcontext=system_u:object_r:sepgsql_db_t tclass=db_database
name=postgres

Dans l'instruction :
DROP DATABASE "postgres"
--------------------------
> tuple:{update} on sepgsql_sysobj_t should be evaluated with ALTER USER statement.
>
> If you want non-administrative users to execute the statement,
> "sepgsql_enable_users_ddl" boolean should be turned on.
I have turn this on also, actually even connected from sepgsql user
show the error.

Thx for your help!

Nicolas (kwizart )

More information about the fedora-selinux-list mailing list