Tags | linux | security | CentOS
SELinux blocking php and PostgreSQL
Recently while working on a CentOS 5.4 Apache web server I came across an interesting problem. The server was going to start connecting to a remote PostgreSQL server and leverage PHP to make the connection. However in looking at the logs I would see errors about the server not listening.
This was odd because if you tried to ping the machine or port on the server you would get a response. Then when I looked in /var/log/messages I noticed the SELinux logs:
Basically, SELinux was blocking the connection. Now you could go the throw the baby out with the bathwater route by just disabling SELinux:
But you are losing a really good security function for the sake of one problem.
The better and by far easier than writing a custom policy is just to enable the following boolean:
This was odd because if you tried to ping the machine or port on the server you would get a response. Then when I looked in /var/log/messages I noticed the SELinux logs:
localhost kernel: type=1400 audit(1276797969.045:10): avc: denied { getattr } for pid=3210 comm="httpd" path="/var/www/sites/dev/index.php" dev=dm-0 ino=32278 scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=file
Basically, SELinux was blocking the connection. Now you could go the throw the baby out with the bathwater route by just disabling SELinux:
# vi /etc/selinux/config
and set:
SELINUX=permissice
to:
SELINUX=disabled
and set:
SELINUX=permissice
to:
SELINUX=disabled
But you are losing a really good security function for the sake of one problem.
The better and by far easier than writing a custom policy is just to enable the following boolean:
# /usr/sbin/setsebool -P httpd_can_network_connect_db 1
