Hello !
I try to use apache and postgresql with the dotclear blog engine. When I try to enter the database information from the admin config wizard within the browser, have a selinux denial :
audit(1202182131.382:34): avc: denied { name_connect } for pid=2604 comm="httpd" dest=5432 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket
[root@haderach ~]# ls -Z /home/www/ drwxr-xr-x root root system_u:object_r:httpd_sys_content_t:s0 dotclear
[root@haderach ~]# rpm -q sepostgresql sepostgresql-8.2.6-1.158.fc8 selinux-policy-3.0.8-81.fc8 selinux-policy-targeted-3.0.8-81.fc8
[root@haderach data]# semodule -l |grep postgre sepostgresql 1.158
On the other hand, when i try to use phpPgAdmin, it works. But i need to change: /var/lib/pgsql/data/pg_hba.conf from ident sameuser to md5.(tryed the same for dotclear without sucess).
Also, from: http://code.google.com/p/sepgsql/wiki/install_memo_Fedora7 As i'm using F-8, i expect not to need the additional recompiled selinux-policy-2.6.4-38.sepgsql.fc7.noarch.rpm. (don't know if current F-7 users will still need it?) - At least the .sepsql doen't fit the same version number
Any tips for this ?
Nicolas (kwizart)
Nicolas Chauvet wrote:
Hello !
I try to use apache and postgresql with the dotclear blog engine. When I try to enter the database information from the admin config wizard within the browser, have a selinux denial :
audit(1202182131.382:34): avc: denied { name_connect } for pid=2604 comm="httpd" dest=5432 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket
[root@haderach ~]# ls -Z /home/www/ drwxr-xr-x root root system_u:object_r:httpd_sys_content_t:s0 dotclear
[root@haderach ~]# rpm -q sepostgresql sepostgresql-8.2.6-1.158.fc8 selinux-policy-3.0.8-81.fc8 selinux-policy-targeted-3.0.8-81.fc8
[root@haderach data]# semodule -l |grep postgre sepostgresql 1.158
Can the following command help you?
# setsebool -P httpd_can_network_connect_db=1
On the other hand, when i try to use phpPgAdmin, it works. But i need to change: /var/lib/pgsql/data/pg_hba.conf from ident sameuser to md5.(tryed the same for dotclear without sucess).
Also, from: http://code.google.com/p/sepgsql/wiki/install_memo_Fedora7 As i'm using F-8, i expect not to need the additional recompiled selinux-policy-2.6.4-38.sepgsql.fc7.noarch.rpm. (don't know if current F-7 users will still need it?) - At least the .sepsql doen't fit the same version number
The selinux-policy packages with ".sepgsql" are special care for Fedora 7 users, because selinux-policy-2.x series does not contain the definitions related to database objects (like, db_table, db_column, ...)
You don't need to replace it, whenever sepostgresql works on Fedora 8.
Thanks,
Any tips for this ?
Nicolas (kwizart)
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
2008/2/5, KaiGai Kohei kaigai@ak.jp.nec.com:
Nicolas Chauvet wrote:
Hello !
I try to use apache and postgresql with the dotclear blog engine. When I try to enter the database information from the admin config wizard within the browser, have a selinux denial :
audit(1202182131.382:34): avc: denied { name_connect } for pid=2604 comm="httpd" dest=5432 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket
[root@haderach ~]# ls -Z /home/www/ drwxr-xr-x root root system_u:object_r:httpd_sys_content_t:s0 dotclear
[root@haderach ~]# rpm -q sepostgresql sepostgresql-8.2.6-1.158.fc8 selinux-policy-3.0.8-81.fc8 selinux-policy-targeted-3.0.8-81.fc8
[root@haderach data]# semodule -l |grep postgre sepostgresql 1.158
Can the following command help you?
# setsebool -P httpd_can_network_connect_db=1
I does: the error disappeared, but i have another: from /var/log/sepostgresql.log FATAL: sepgsql_system_getpeercon(734): 'user_u:user_r:user_t' is not a valid context
I have also noticed an error in the same log file: LOG: could not open directory "/usr/share/sepgsql/timezone": File or directory doens't exist Where i've made a ln -s timezoneset /usr/share/sepgsql/timezone.
About phpPgAdmin: now i can connect but i have this all the time: -------------- ERROR: SELinux: denied { set_param } scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:sepgsql_db_t:s0 tclass=db_database name=dotclear STATEMENT: set datestyle='ISO' -------------- Seems related to the command used to set the passwd ?! psql -d dotclear -c "alter user dotclear with password 'my_passwd'" I have used that previously from a wiki, without noticing well what means templates1: psql -d template1 -c "alter user dotclear with password 'my_passwd'" and the same error sometimes appears with template1 instead of dotclear
On the other hand, when i try to use phpPgAdmin, it works. But i need to change: /var/lib/pgsql/data/pg_hba.conf from ident sameuser to md5.(tryed the same for dotclear without sucess).
Was /var/lib/sepgsql/data/pg_hba.conf from the above
KH KH wrote:
2008/2/5, KaiGai Kohei kaigai@ak.jp.nec.com:
Nicolas Chauvet wrote:
Hello !
I try to use apache and postgresql with the dotclear blog engine. When I try to enter the database information from the admin config wizard within the browser, have a selinux denial :
audit(1202182131.382:34): avc: denied { name_connect } for pid=2604 comm="httpd" dest=5432 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket
[root@haderach ~]# ls -Z /home/www/ drwxr-xr-x root root system_u:object_r:httpd_sys_content_t:s0 dotclear
[root@haderach ~]# rpm -q sepostgresql sepostgresql-8.2.6-1.158.fc8 selinux-policy-3.0.8-81.fc8 selinux-policy-targeted-3.0.8-81.fc8
[root@haderach data]# semodule -l |grep postgre sepostgresql 1.158
Can the following command help you?
# setsebool -P httpd_can_network_connect_db=1
I does: the error disappeared, but i have another: from /var/log/sepostgresql.log FATAL: sepgsql_system_getpeercon(734): 'user_u:user_r:user_t' is not a valid context
I guess you try to connect SE-PostgreSQL runnung on another host without any labeled networking configuration. SE-PostgreSQL tries to apply fallbacked security context when it cannot obtain peer's context. The 'user_u:user_r:user_t' is default fallbacked context.
Please confirm whether mcstransd is running, or not. If not running, please start it.
I have also noticed an error in the same log file: LOG: could not open directory "/usr/share/sepgsql/timezone": File or directory doens't exist Where i've made a ln -s timezoneset /usr/share/sepgsql/timezone.
It seems to me packageing error. I'll fix soon.
About phpPgAdmin: now i can connect but i have this all the time:
ERROR: SELinux: denied { set_param } scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:sepgsql_db_t:s0 tclass=db_database name=dotclear STATEMENT: set datestyle='ISO'
The default security policy for SE-PostgreSQL does not allow to execute "SET ..." statement by non-administratvie users. However, it might not be a appropriate policy. I'll update this part of policy on the next update. please wait for some days.
Seems related to the command used to set the passwd ?! psql -d dotclear -c "alter user dotclear with password 'my_passwd'" I have used that previously from a wiki, without noticing well what means templates1: psql -d template1 -c "alter user dotclear with password 'my_passwd'" and the same error sometimes appears with template1 instead of dotclear
Is it really same errors? tuple:{update} on sepgsql_sysobj_t should be evaluated with ALTER USER statement.
If you want non-administrative users to execute the statement, "sepgsql_enable_users_ddl" boolean should be turned on.
Thanks,
On the other hand, when i try to use phpPgAdmin, it works. But i need to change: /var/lib/pgsql/data/pg_hba.conf from ident sameuser to md5.(tryed the same for dotclear without sucess).
Was /var/lib/sepgsql/data/pg_hba.conf from the above
2008/2/6, Kohei KaiGai kaigai@ak.jp.nec.com:
KH KH wrote:
2008/2/5, KaiGai Kohei kaigai@ak.jp.nec.com:
Nicolas Chauvet wrote:
Hello !
I try to use apache and postgresql with the dotclear blog engine. When I try to enter the database information from the admin config wizard within the browser, have a selinux denial :
audit(1202182131.382:34): avc: denied { name_connect } for pid=2604 comm="httpd" dest=5432 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket
[root@haderach ~]# ls -Z /home/www/ drwxr-xr-x root root system_u:object_r:httpd_sys_content_t:s0 dotclear
[root@haderach ~]# rpm -q sepostgresql sepostgresql-8.2.6-1.158.fc8 selinux-policy-3.0.8-81.fc8 selinux-policy-targeted-3.0.8-81.fc8
[root@haderach data]# semodule -l |grep postgre sepostgresql 1.158
Can the following command help you?
# setsebool -P httpd_can_network_connect_db=1
I does: the error disappeared, but i have another: from /var/log/sepostgresql.log FATAL: sepgsql_system_getpeercon(734): 'user_u:user_r:user_t' is not a valid context
I guess you try to connect SE-PostgreSQL runnung on another host without any labeled networking configuration. SE-PostgreSQL tries to apply fallbacked security context when it cannot obtain peer's context. The 'user_u:user_r:user_t' is default fallbacked context.
Please confirm whether mcstransd is running, or not. If not running, please start it.
mcstans installed and started, this solved many problems. Actually i'm running SE-PostgreSQL on my server host with phpPgAdmin on the same host but browsed from my workstation.
Now i can enter the parameters from the database and setup my blog engine, thx. It remains some Selinux denials with sendmail (dotclear want to send a mail to the admin of the blog engine and with phpPgAdmin
Selinux denials with sendmail: ------------------- audit(1202299741.450:42): avc: denied { search } for pid=12667 comm="sendmail" name="mail" dev=sda6 ino=1573785 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:etc_mail_t:s0 tclass=dir audit(1202299741.450:43): avc: denied { search } for pid=12667 comm="sendmail" name="mail" dev=sda6 ino=1573785 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:etc_mail_t:s0 tclass=dir audit(1202299741.451:44): avc: denied { getattr } for pid=12667 comm="sendmail" path="/etc/mail" dev=sda6 ino=1573785 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:etc_mail_t:s0 tclass=dir -------------------
I have also noticed an error in the same log file: LOG: could not open directory "/usr/share/sepgsql/timezone": File or directory doens't exist Where i've made a ln -s timezoneset /usr/share/sepgsql/timezone.
It seems to me packageing error. I'll fix soon.
About phpPgAdmin: now i can connect but i have this all the time:
ERROR: SELinux: denied { set_param } scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:sepgsql_db_t:s0 tclass=db_database name=dotclear STATEMENT: set datestyle='ISO'
The default security policy for SE-PostgreSQL does not allow to execute "SET ..." statement by non-administratvie users. However, it might not be a appropriate policy. I'll update this part of policy on the next update. please wait for some days.
Seems related to the command used to set the passwd ?! psql -d dotclear -c "alter user dotclear with password 'my_passwd'" I have used that previously from a wiki, without noticing well what means templates1: psql -d template1 -c "alter user dotclear with password 'my_passwd'" and the same error sometimes appears with template1 instead of dotclear
Is it really same errors?
This error also appears all the time with phpPgAdmin but with a different name={dotclear,template1} . The second one appears when I want to delete a unused database: ------------------------- Erreur SQL :
ERROR: SELinux: denied { set_param } scontext=system_u:system_r:httpd_t tcontext=system_u:object_r:sepgsql_db_t tclass=db_database name=template1
Dans l'instruction : set datestyle='ISO' ------------------------- Erreur SQL :
ERROR: SELinux: denied { drop } scontext=system_u:system_r:httpd_t tcontext=system_u:object_r:sepgsql_db_t tclass=db_database name=postgres
Dans l'instruction : DROP DATABASE "postgres" --------------------------
tuple:{update} on sepgsql_sysobj_t should be evaluated with ALTER USER statement.
If you want non-administrative users to execute the statement, "sepgsql_enable_users_ddl" boolean should be turned on.
I have turn this on also, actually even connected from sepgsql user show the error.
Thx for your help!
Nicolas (kwizart )
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
KH KH wrote:
2008/2/6, Kohei KaiGai kaigai@ak.jp.nec.com:
KH KH wrote:
2008/2/5, KaiGai Kohei kaigai@ak.jp.nec.com:
Nicolas Chauvet wrote:
Hello !
I try to use apache and postgresql with the dotclear blog engine. When I try to enter the database information from the admin config wizard within the browser, have a selinux denial :
audit(1202182131.382:34): avc: denied { name_connect } for pid=2604 comm="httpd" dest=5432 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket
[root@haderach ~]# ls -Z /home/www/ drwxr-xr-x root root system_u:object_r:httpd_sys_content_t:s0 dotclear
[root@haderach ~]# rpm -q sepostgresql sepostgresql-8.2.6-1.158.fc8 selinux-policy-3.0.8-81.fc8 selinux-policy-targeted-3.0.8-81.fc8
[root@haderach data]# semodule -l |grep postgre sepostgresql 1.158
Can the following command help you?
# setsebool -P httpd_can_network_connect_db=1
I does: the error disappeared, but i have another: from /var/log/sepostgresql.log FATAL: sepgsql_system_getpeercon(734): 'user_u:user_r:user_t' is not a valid context
I guess you try to connect SE-PostgreSQL runnung on another host without any labeled networking configuration. SE-PostgreSQL tries to apply fallbacked security context when it cannot obtain peer's context. The 'user_u:user_r:user_t' is default fallbacked context.
Please confirm whether mcstransd is running, or not. If not running, please start it.
mcstans installed and started, this solved many problems. Actually i'm running SE-PostgreSQL on my server host with phpPgAdmin on the same host but browsed from my workstation.
Now i can enter the parameters from the database and setup my blog engine, thx. It remains some Selinux denials with sendmail (dotclear want to send a mail to the admin of the blog engine and with phpPgAdmin
Selinux denials with sendmail:
audit(1202299741.450:42): avc: denied { search } for pid=12667 comm="sendmail" name="mail" dev=sda6 ino=1573785 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:etc_mail_t:s0 tclass=dir audit(1202299741.450:43): avc: denied { search } for pid=12667 comm="sendmail" name="mail" dev=sda6 ino=1573785 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:etc_mail_t:s0 tclass=dir audit(1202299741.451:44): avc: denied { getattr } for pid=12667 comm="sendmail" path="/etc/mail" dev=sda6 ino=1573785 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:etc_mail_t:s0 tclass=dir
Turn on the httpd_can_sendmail boolean
I have also noticed an error in the same log file: LOG: could not open directory "/usr/share/sepgsql/timezone": File or directory doens't exist Where i've made a ln -s timezoneset /usr/share/sepgsql/timezone.
It seems to me packageing error. I'll fix soon.
About phpPgAdmin: now i can connect but i have this all the time:
ERROR: SELinux: denied { set_param } scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:sepgsql_db_t:s0 tclass=db_database name=dotclear STATEMENT: set datestyle='ISO'
The default security policy for SE-PostgreSQL does not allow to execute "SET ..." statement by non-administratvie users. However, it might not be a appropriate policy. I'll update this part of policy on the next update. please wait for some days.
Seems related to the command used to set the passwd ?! psql -d dotclear -c "alter user dotclear with password 'my_passwd'" I have used that previously from a wiki, without noticing well what means templates1: psql -d template1 -c "alter user dotclear with password 'my_passwd'" and the same error sometimes appears with template1 instead of dotclear
Is it really same errors?
This error also appears all the time with phpPgAdmin but with a different name={dotclear,template1} . The second one appears when I want to delete a unused database:
Erreur SQL :
ERROR: SELinux: denied { set_param } scontext=system_u:system_r:httpd_t tcontext=system_u:object_r:sepgsql_db_t tclass=db_database name=template1
Dans l'instruction : set datestyle='ISO'
Erreur SQL :
ERROR: SELinux: denied { drop } scontext=system_u:system_r:httpd_t tcontext=system_u:object_r:sepgsql_db_t tclass=db_database name=postgres
Dans l'instruction : DROP DATABASE "postgres"
tuple:{update} on sepgsql_sysobj_t should be evaluated with ALTER USER statement.
If you want non-administrative users to execute the statement, "sepgsql_enable_users_ddl" boolean should be turned on.
I have turn this on also, actually even connected from sepgsql user show the error.
Thx for your help!
Nicolas (kwizart )
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
selinux@lists.fedoraproject.org