Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 160975 - phpPgAdmin cannot connect to postgres
Summary: phpPgAdmin cannot connect to postgres
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 4
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2005-06-19 12:12 UTC by Gérard Milmeister
Modified: 2007-11-30 22:11 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2005-06-29 15:05:45 UTC

Attachments (Terms of Use)

Description Gérard Milmeister 2005-06-19 12:12:37 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050513 Galeon/1.3.21

Description of problem:
If SELinux is set to enforce, phpPgAdmin (PHP, httpd) cannot connect to Postgres. As soon as enforce is set to false, it works without problems.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:

Additional info:

Comment 1 Gérard Milmeister 2005-06-19 13:26:32 UTC
This is certainly a httpd - postgres conflict, since the the Postgres module in
Webmin doesn't work correctly either.

Comment 2 Tom Lane 2005-06-23 18:21:26 UTC
What Postgres authorization method are you using, and is the connection being
done through a Unix socket or over loopback IP?

There is a report at bug #161383 that SELinux interferes with IDENT checking,
but there is not enough information here for me to guess if it's the same issue.

Comment 3 Gérard Milmeister 2005-06-23 18:53:27 UTC
Here are the lines from pg_hba.conf:
# "local" is for Unix domain socket connections only
local   all         all                               ident sameuser
# IPv4 local connections:
host    all         all          md5
host    all         all        md5
# IPv6 local connections:
host    all         all         ::1/128               ident sameuser

and here the configuration from phppgadmin:
// Display name for the server on the login screen
$conf['servers'][0]['desc'] = 'PostgreSQL';

// Hostname or IP address for server.  Use '' for UNIX domain socket.
$conf['servers'][0]['host'] = '';

// Database port on server (5432 is the PostgreSQL default)
$conf['servers'][0]['port'] = 5432;

This would mean that connection is through, not the unix domain socket.

The message from selinux is:
Jun 23 20:49:50 scriabin kernel: audit(1119552590.703:4): avc:  denied  {
name_connect } for  pid=3260 comm="httpd" dest=5432
scontext=system_u:system_r:httpd_t tcontext=system_u:object_r:postgresql_port_t

Note that I am able to log on to postgres using a password with:
psql -h

Comment 4 Ian Pilcher 2005-06-23 19:32:59 UTC
That configuration will cause any request from to use password
authentication.  (Keep in mind that PostgreSQL attempts to use the first
authentication method that matches the request.  If that fails, the connection
is refused; PostgreSQL does not "fall back" to another method.)

I'm no expert on SELinux, but it looks to me like the httpd process is being
blocked from even opening a socket to the postmaster.  I don't think that
PostgreSQL ever even sees the connection attempt.

If I'm correct, this is not a duplicate of #161383.

Comment 5 Tom Lane 2005-06-23 19:37:07 UTC
I agree, it is not a dup given that kernel log message.  I am recategorizing
this as a SELinux policy bug --- Dan can bounce it back if he thinks

Comment 6 Daniel Walsh 2005-06-26 11:35:46 UTC
set the boolean 

setsebool -P httpd_can_network_connect=1

Comment 7 Gérard Milmeister 2005-06-26 12:25:53 UTC
Ok, that does it. There is even an option in system-config-securitylevel. I
would only this had been more obvious :-(

Comment 8 Daniel Walsh 2005-06-27 11:04:11 UTC
man httpd_selinux mentions it.  I am not sure where we could make it easier to



Comment 9 Ian Pilcher 2005-06-27 12:35:02 UTC
Set "Allow HTTPD scripts to connect to the network" in system-config-securitylevel
and all is well now (selinux-policy-targeted-1.23.18-16).  Shouldn't this be
closed NOTABUG?

Comment 10 Gérard Milmeister 2005-06-27 15:19:39 UTC
(In reply to comment #8)
> man httpd_selinux mentions it.  I am not sure where we could make it easier to
> discover.

In order to consult the manpage, one must first know that it exists.
I think, things like these should make it into the release notes.
It is very common for LAMP applications to connect to the network.
I use Linux since 1993 and I am not that unexperienced, a bug report like this
shows, that there is some difficulty here, doesn't it?

Comment 11 Daniel Walsh 2005-06-29 15:05:45 UTC
Yes SELinux is a different kind of technology, in that it does not allow all
operations of a product to easily work.  Their is information in the Release
Notes about SELinux, but it could probably be documented better.


Note You need to log in before you can comment on or make changes to this bug.