Mostly I have been running fedora on a home desktop and laptop for a long time with SELinux enabled, with very minimal workarounds needed. Otherwise I am new to policies etc. I have just enabled SELinux in permissive mode on a web server and followed the instructions here to create a "local_policy.cil" policy module file containing a few simple rules, and install it. https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/ using_selinux/troubleshooting-problems-related-to-selinux_using- selinux#proc_creating-a-local-selinux-policy-module_troubleshooting-problems- related-to-selinux Why is PostgreSQL running in unconfined_service_t, and what do I need to do to allow php-fpm to connect to it? Isn't there a boolean for that? [root@blanco ~]# ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts recent ---- time->Mon Jan 13 13:36:10 2025 type=AVC msg=audit(1736775370.067:3485): avc: denied { connectto } for pid=1425 comm="php-fpm" path="/run/postgresql/.s.PGSQL.5432" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=1 ---- ... Do I need a ".cil" rule like this? (allow httpd_t unconfined_service_t (unix_stream_socket (connectto))) -- _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
