Version 2.0

Tags | | |

SELinux blocking php and PostgreSQL

Recently while working on a CentOS 5.4 Apache web server I came across an interesting problem. The server was going to start connecting to a remote PostgreSQL server and leverage PHP to make the connection. However in looking at the logs I would see errors about the server not listening.

This was odd because if you tried to ping the machine or port on the server you would get a response. Then when I looked in /var/log/messages I noticed the SELinux logs:

 localhost kernel: type=1400 audit(1276797969.045:10): avc:  denied  { getattr } for  pid=3210 comm="httpd" path="/var/www/sites/dev/index.php" dev=dm-0 ino=32278 scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=file

Basically, SELinux was blocking the connection. Now you could go the throw the baby out with the bathwater route by just disabling SELinux:

# vi /etc/selinux/config
and set:
SELINUX=permissice
to:
SELINUX=disabled

But you are losing a really good security function for the sake of one problem.

The better and by far easier than writing a custom policy is just to enable the following boolean:

# /usr/sbin/setsebool -P httpd_can_network_connect_db 1


Comments

Feel free to leave a comment or question

Name: (Optional but appreciated):

Comment:

Use [code] [/code] for code block style


Newest content

Installing Redmine on CentOS 6.5
2014-06-25 00:00:00
centos,linux


Mavericks install "This copy of the Install OS X Mavericks application can't be verified"
2014-03-14 11:49:58
mavericks,osx


Openindiana Public key SSH issue
2014-01-08 21:46:56
opensolaris,openindiana


News

Programming:

Security / OS

Technology:

Positive SSL on a transparent background