On 04/08/2017 06:31 AM, John Iliffe wrote: > On Saturday 08 April 2017 00:10:14 Adrian Klaver wrote: >> On 04/07/2017 07:45 PM, Joe Conway wrote: >> > On 04/07/2017 05:35 PM, Adrian Klaver wrote: >> >> On 04/07/2017 05:03 PM, John Iliffe wrote: >> >>>>> Running on Fedora 25 with SELinux in PERMISSIVE mode. The audit >> >>>>> log shows no hits on Postgresql. >> >>> >> >>> My going in position was/still is, that this is a SELinux security >> >>> problem >> >>> but I am finding SELinux to be the most opaque and badly documented >> >>> software >> >>> that I have ever had to deal with, which is why it is running in >> >>> permissive >> >>> mode at the moment. >> >> >> >> Well what I know about SELinux would fit in the navel of a flea(tip >> >> of the hat to David Niven), so I can not be of much help there. The >> >> reason I am returned this thread to the list, there are folks that >> >> do understand it. >> > >> > If SELinux is running in permissive I don't see how it could be at >> > fault for your issue. Did you verify that (getenforce)? >> > >> >>> -------------------------- >> >>> [Fri Apr 07 17:03:28.597101 2017] [php7:warn] [pid 1797:tid >> >>> 140599445419776] [client 192.168.1.10:45127] PHP Warning: >> >>> pg_connect(): Unable to connect to PostgreSQL server: could not >> >>> connect to server: No such file or directory\n\tIs the server >> >>> running locally and >> >>> accepting\n\tconnections on Unix domain socket >> >>> "/tmp/.s.PGSQL.5432"? in /httpd/iliffe/testfcgi.php on >> >>> line 121 ---------------------------- >> > >> > This might be a silly question, but is PHP running on the same server >> > as Postgres? >> >> To add to this, previously you mentioned: >> >> "Also, using the on board firewall (firewalld) to provide a secondary >> domain where the actual business processes run. " >> >> What exactly does that mean? >> > There is something rather odd here. > > getenforce shows the mode as permissive, which is what I think it is. If getenforce shows you are in permissive, then selinux is not your problem, full stop. > BUT, this morning's logwatch report shows: > > *** Denials *** > system_u system_u (tcp_socket): 1 times selinux will continue to log denials in permissive -- this is useful to determine what would have been blocked by selinux had it been in enforcing, which in turn gives you a chance to fix those issues before turning on enforcing. For more detail on the selinux logs look in /var/log/audit/audit.log You definitely have something odd going on though. As you said elsewhere, using a Unix domain socket connection the firewall should not get involved either. Seems like the issue is related to PHP somehow. For example, see: http://serverfault.com/questions/641329/cannot-connect-to-postgresql-unix-domain-socket Joe -- Crunchy Data - http://crunchydata.com PostgreSQL Support for Secure Enterprises Consulting, Training, & Open Source Development
Attachment:
signature.asc
Description: OpenPGP digital signature
