Wednesday 4 July 2018

access control - PHP can't connect to PostgreSQL with "permission denied" error with SELinux


My PHP app can connect when I turn off SELinux, but not with it on.


setenforce 0; curl -I http://domain.com; setenforce 1

Yields no errors in /var/log/httpd/error_log. However, if I have it on, I get this error:



PHP Warning: pg_connect(): Unable to connect to PostgreSQL server: could not connect to server: Permission denied. Is the server running locally and accepting connections on Unix domain socket "/tmp/.s.PGSQL.5432"?



I've tried


# restorecon -R -v /home/domain/public_html
#  chcon -R -t httpd_sys_rw_content_t /home/domain/public_html/
#  chcon -v --type=httpd_sys_content_t /home/domain/public_html
# semanage fcontext -a -t httpd_sys_content_t "/home/domain/public_html(/.*)?"
# service httpd restart

With SELinux on, I can still do this:


# php -a
Interactive shell

php > $connection = pg_connect ("dbname=domain user=domain password=xxxxxx") or die(pg_last_error());
php > echo $connection;
Resource id #1

Here is the error from /var/log/audit/audit.log:


type=AVC msg=audit(1404684735.513:97245): avc:  denied  { write } for  pid=3594 comm="httpd" name=".s.PGSQL.5432" dev=xvde ino=2552 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=sock_file
type=SYSCALL msg=audit(1404684735.513:97245): arch=c000003e syscall=42 success=no exit=-13 a0=b a1=7f40ae4fd640 a2=6e a3=0 items=0 ppid=26231 pid=3594 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=2700 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

CentOS 6.5



Answer



I fixed it! I found a solution here: https://bugzilla.redhat.com/show_bug.cgi?id=772084#c8


What I did was take the 2 lines that were written to audit.log, and piped them into audit2allow, which generates 2 files, a binary and a text. Then I imported that file into semodule. I don't understand the file however. Make sure you capture the httpd errors.


tail -2 /var/log/audit/audit.log | audit2allow -M mypol
semodule -i mypol.pp # takes a while

The actual text file it generated was mypol.te


module mypol 1.0;

require {
        type httpd_t;
        type initrc_t;
        class unix_stream_socket connectto;
}

#============= httpd_t ==============
allow httpd_t initrc_t:unix_stream_socket connectto;
-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Where does Skype save my contact's avatars in Linux?

I'm using Skype on Linux. Where can I find images cached by skype of my contact's avatars? Answer I wanted to get those Skype avat...