My PHP app can connect when I turn off SELinux, but not with it on.
setenforce 0; curl -I http://domain.com; setenforce 1
Yields no errors in /var/log/httpd/error_log
. However, if I have it on, I get this error:
PHP Warning: pg_connect(): Unable to connect to PostgreSQL server: could not connect to server: Permission denied. Is the server running locally and accepting connections on Unix domain socket "/tmp/.s.PGSQL.5432"?
I've tried
# restorecon -R -v /home/domain/public_html
# chcon -R -t httpd_sys_rw_content_t /home/domain/public_html/
# chcon -v --type=httpd_sys_content_t /home/domain/public_html
# semanage fcontext -a -t httpd_sys_content_t "/home/domain/public_html(/.*)?"
# service httpd restart
With SELinux on, I can still do this:
# php -a
Interactive shell
php > $connection = pg_connect ("dbname=domain user=domain password=xxxxxx") or die(pg_last_error());
php > echo $connection;
Resource id #1
Here is the error from /var/log/audit/audit.log
:
type=AVC msg=audit(1404684735.513:97245): avc: denied { write } for pid=3594 comm="httpd" name=".s.PGSQL.5432" dev=xvde ino=2552 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=sock_file
type=SYSCALL msg=audit(1404684735.513:97245): arch=c000003e syscall=42 success=no exit=-13 a0=b a1=7f40ae4fd640 a2=6e a3=0 items=0 ppid=26231 pid=3594 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=2700 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
CentOS 6.5
Answer
I fixed it! I found a solution here: https://bugzilla.redhat.com/show_bug.cgi?id=772084#c8
What I did was take the 2 lines that were written to audit.log, and piped them into audit2allow
, which generates 2 files, a binary and a text. Then I imported that file into semodule
. I don't understand the file however. Make sure you capture the httpd errors.
tail -2 /var/log/audit/audit.log | audit2allow -M mypol
semodule -i mypol.pp # takes a while
The actual text file it generated was mypol.te
module mypol 1.0;
require {
type httpd_t;
type initrc_t;
class unix_stream_socket connectto;
}
#============= httpd_t ==============
allow httpd_t initrc_t:unix_stream_socket connectto;
No comments:
Post a Comment