Version 2.0

Tags | | |

SELinux blocking php and PostgreSQL

Recently while working on a CentOS 5.4 Apache web server I came across an interesting problem. The server was going to start connecting to a remote PostgreSQL server and leverage PHP to make the connection. However in looking at the logs I would see errors about the server not listening.

This was odd because if you tried to ping the machine or port on the server you would get a response. Then when I looked in /var/log/messages I noticed the SELinux logs:

 localhost kernel: type=1400 audit(1276797969.045:10): avc:  denied  { getattr } for  pid=3210 comm="httpd" path="/var/www/sites/dev/index.php" dev=dm-0 ino=32278 scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=file

Basically, SELinux was blocking the connection. Now you could go the throw the baby out with the bathwater route by just disabling SELinux:

# vi /etc/selinux/config
and set:

But you are losing a really good security function for the sake of one problem.

The better and by far easier than writing a custom policy is just to enable the following Boolean:

# /usr/sbin/setsebool -P httpd_can_network_connect_db 1


From Rafael
2014-08-25 20:38:35

Nice! I'm on fedora 20 and works like a charm for me, thanks a lot!

From vadim s. sabinich
2014-10-02 00:43:23

nice. but you wrote one little mistake :) "permissice" => "permissive"

From Admin
2014-10-02 10:59:22

Thanks for catching that Vadim, I've corrected that in the example above.

Feel free to leave a comment or question

Name: (Optional but appreciated):


Use [code] [/code] for code block style

Newest content

Windows 2008 R2 stuck in recovery mode
2014-11-05 23:31:43

Installing Redmine on CentOS 6.5
2014-06-25 00:00:00

Mavericks install "This copy of the Install OS X Mavericks application can't be verified"
2014-03-14 11:49:58



Security / OS


Positive SSL on a transparent background