On Mon, Jan 13, 2025 at 3:27 PM justina colmena ~biz via selinux <selinux@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
Mostly I have been running fedora on a home desktop and laptop for a long time
with SELinux enabled, with very minimal workarounds needed. Otherwise I am new
to policies etc. I have just enabled SELinux in permissive mode on a web
server and followed the instructions here to create a "local_policy.cil"
policy module file containing a few simple rules, and install it.
https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/
using_selinux/troubleshooting-problems-related-to-selinux_using-
selinux#proc_creating-a-local-selinux-policy-module_troubleshooting-problems-
related-to-selinux
Why is PostgreSQL running in unconfined_service_t, and what do I need to do to
allow php-fpm to connect to it?
Isn't there a boolean for that?
[root@blanco ~]# ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts
recent
----
time->Mon Jan 13 13:36:10 2025
type=AVC msg=audit(1736775370.067:3485): avc: denied { connectto } for
pid=1425 comm="php-fpm" path="/run/postgresql/.s.PGSQL.5432"
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket
permissive=1
----
...
Do I need a ".cil" rule like this?
(allow httpd_t unconfined_service_t (unix_stream_socket (connectto)))
Hello,
I think that what you need in the first place is to check how the postgresql service is started. Is the binary properly labeled?
systemctl cat postgresql
ls -lZ /usr/bin/postgres
--
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
--
Zdenek Pytela
Security SELinux team
-- _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
