On 13/01/2025 14:09, justina colmena ~biz via selinux wrote:
Why is PostgreSQL running in unconfined_service_t,
I don't think any replies to your message have addressed this. but...
time->Mon Jan 13 13:36:10 2025
type=AVC msg=audit(1736775370.067:3485): avc: denied { connectto } for
pid=1425 comm="php-fpm" path="/run/postgresql/.s.PGSQL.5432"
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:system_r:unconfined_service_t:s0
tclass=unix_stream_socket
permissive=1
I think this is telling you that the socket file context is
"system_u:system_r:unconfined_service_t:s0". It doesn't necessarily mean
that postgresql is running with that context, though 'ps -o
pid,command,context -C postgres' should confirm.
On my system:
# semanage fcontext -l | grep /run/postgresql
/run/postgresql(/.*)? all files
system_u:object_r:postgresql_var_run_t:s0
... so figuring out why your socket is labelled incorrectly would be the
first thing I'd investigate.
If postgresql was really running as unconfined_service_t then I'd debug
the type transition process explained at
<https://wiki.gentoo.org/wiki/SELinux/Tutorials/How_does_a_process_get_into_a_certain_context>.
Once postgresql is running in the expected context & the socket file has
the right label, then I'd resume configuring the system so that
processes running as httpd_t can connect to it.
--
Sam Morris <https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9
--
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
