postgresql with httpd and dotclear
Daniel J Walsh
dwalsh at redhat.com
Wed Feb 6 15:26:59 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
KH KH wrote:
> 2008/2/6, Kohei KaiGai <kaigai at ak.jp.nec.com>:
>> KH KH wrote:
>>> 2008/2/5, KaiGai Kohei <kaigai at ak.jp.nec.com>:
>>>> Nicolas Chauvet wrote:
>>>>> Hello !
>>>>>
>>>>> I try to use apache and postgresql with the dotclear blog engine.
>>>>> When I try to enter the database information from the admin config
>>>>> wizard within the browser, have a selinux denial :
>>>>>
>>>>> audit(1202182131.382:34): avc: denied { name_connect } for pid=2604
>>>>> comm="httpd" dest=5432 scontext=system_u:system_r:httpd_t:s0
>>>>> tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket
>>>>>
>>>>> [root at haderach ~]# ls -Z /home/www/
>>>>> drwxr-xr-x root root system_u:object_r:httpd_sys_content_t:s0 dotclear
>>>>>
>>>>> [root at haderach ~]# rpm -q sepostgresql
>>>>> sepostgresql-8.2.6-1.158.fc8
>>>>> selinux-policy-3.0.8-81.fc8
>>>>> selinux-policy-targeted-3.0.8-81.fc8
>>>>>
>>>>> [root at haderach data]# semodule -l |grep postgre
>>>>> sepostgresql 1.158
>>>> Can the following command help you?
>>>>
>>>> # setsebool -P httpd_can_network_connect_db=1
>>>>
>>> I does: the error disappeared, but i have another:
>>> from /var/log/sepostgresql.log
>>> FATAL: sepgsql_system_getpeercon(734): 'user_u:user_r:user_t' is not
>>> a valid context
>> I guess you try to connect SE-PostgreSQL runnung on another host without
>> any labeled networking configuration.
>> SE-PostgreSQL tries to apply fallbacked security context when it cannot
>> obtain peer's context. The 'user_u:user_r:user_t' is default fallbacked
>> context.
>>
>> Please confirm whether mcstransd is running, or not.
>> If not running, please start it.
> mcstans installed and started, this solved many problems.
> Actually i'm running SE-PostgreSQL on my server host with phpPgAdmin
> on the same host but browsed from my workstation.
>
> Now i can enter the parameters from the database and setup my blog engine, thx.
> It remains some Selinux denials with sendmail (dotclear want to send a
> mail to the admin of the blog engine and with phpPgAdmin
>
> Selinux denials with sendmail:
> -------------------
> audit(1202299741.450:42): avc: denied { search } for pid=12667
> comm="sendmail" name="mail" dev=sda6 ino=1573785
> scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:etc_mail_t:s0 tclass=dir
> audit(1202299741.450:43): avc: denied { search } for pid=12667
> comm="sendmail" name="mail" dev=sda6 ino=1573785
> scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:etc_mail_t:s0 tclass=dir
> audit(1202299741.451:44): avc: denied { getattr } for pid=12667
> comm="sendmail" path="/etc/mail" dev=sda6 ino=1573785
> scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:etc_mail_t:s0 tclass=dir
Turn on the httpd_can_sendmail boolean
> -------------------
>
>>> I have also noticed an error in the same log file:
>>> LOG: could not open directory "/usr/share/sepgsql/timezone": File or
>>> directory doens't exist
>>> Where i've made a ln -s timezoneset /usr/share/sepgsql/timezone.
>> It seems to me packageing error. I'll fix soon.
>>
>>> About phpPgAdmin: now i can connect but i have this all the time:
>>> --------------
>>> ERROR: SELinux: denied { set_param }
>>> scontext=system_u:system_r:httpd_t:s0
>>> tcontext=system_u:object_r:sepgsql_db_t:s0 tclass=db_database
>>> name=dotclear
>>> STATEMENT: set datestyle='ISO'
>>> --------------
>> The default security policy for SE-PostgreSQL does not allow to execute
>> "SET ..." statement by non-administratvie users.
>> However, it might not be a appropriate policy. I'll update this part of
>> policy on the next update. please wait for some days.
>>
>>> Seems related to the command used to set the passwd ?!
>>> psql -d dotclear -c "alter user dotclear with password 'my_passwd'"
>>> I have used that previously from a wiki, without noticing well what
>>> means templates1:
>>> psql -d template1 -c "alter user dotclear with password 'my_passwd'"
>>> and the same error sometimes appears with template1 instead of dotclear
>> Is it really same errors?
> This error also appears all the time with phpPgAdmin but with a
> different name={dotclear,template1} . The second one appears when I
> want to delete a unused database:
> -------------------------
> Erreur SQL :
>
> ERROR: SELinux: denied { set_param }
> scontext=system_u:system_r:httpd_t
> tcontext=system_u:object_r:sepgsql_db_t tclass=db_database
> name=template1
>
> Dans l'instruction :
> set datestyle='ISO'
> -------------------------
> Erreur SQL :
>
> ERROR: SELinux: denied { drop } scontext=system_u:system_r:httpd_t
> tcontext=system_u:object_r:sepgsql_db_t tclass=db_database
> name=postgres
>
> Dans l'instruction :
> DROP DATABASE "postgres"
> --------------------------
>> tuple:{update} on sepgsql_sysobj_t should be evaluated with ALTER USER statement.
>>
>> If you want non-administrative users to execute the statement,
>> "sepgsql_enable_users_ddl" boolean should be turned on.
> I have turn this on also, actually even connected from sepgsql user
> show the error.
>
> Thx for your help!
>
> Nicolas (kwizart )
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkep0cMACgkQrlYvE4MpobNDTwCggfNV7xx00Qj60BSWQTBHVsLz
2AcAn0T/VNEYy/QFlp0ZdkXPLALcIwnu
=tLmS
-----END PGP SIGNATURE-----
More information about the fedora-selinux-list
mailing list