Skip site navigation (1) Skip section navigation (2)

Re: PHP and PostgreSQL 9.0, pg_connect fails to connect

From: Thomas Harold <thomas-lists(at)nybeta(dot)com>
To: pgsql-general(at)postgresql(dot)org
Subject: Re: PHP and PostgreSQL 9.0, pg_connect fails to connect
Date: 2011-04-27 17:01:16
Message-ID: 4DB84BDC.6070600@nybeta.com (view raw or flat)
Thread:
Lists: pgsql-general
On 4/27/2011 12:24 PM, Michael Nolan wrote:
>
>
> On Wed, Apr 27, 2011 at 10:42 AM, Thomas Harold <thomas-lists(at)nybeta(dot)com
> <mailto:thomas-lists(at)nybeta(dot)com>> wrote:
>
>     On 4/27/2011 9:16 AM, Thomas Harold wrote:
>
>         - SELinux is running, but there are no denied messages in
>         /var/log/audit/audit.log and no setroubleshooting alerts in
>         /var/log/messages either.
>
>
>     Well, interestingly enough it is SELinux getting in the way, but not
>     logging anything.  Temporarily disabling SELinux suddenly makes it work.
>
>     # echo 0 > /selinux/enforce
>     (things now work)
>
>
> This does not surprise me, I've been upgrading a server to Fedora 14 and
> fighting SELInux every inch of the way.  Setting up PostgreSQL on that
> box is coming up on the schedule, maybe forewarned is forearmed. :-)

I've been using SELinux since '07, it still surprises me sometimes. 
Most issues come from mislabeled files (which gets fixed with "semanage 
fcontext" and "restorecon") and the targeted policies in RHEL5 are 
pretty bug-free after this many years.  Of course, I just submitted a 
bug report against the SELinux policy for vsftpd this past month, so 
it's not perfect yet.

In this case it took a full day for the lightbulb to go on and a few 
lucky searches later I found / remembered the booleans.   The only thing 
that perplexes me at the moment is why SELinux is not logging an AVC 
denial in the audit.log file for that particular issue.  I've seen it 
log AVC denials for mislabeled files, so the system is not 100% broken, 
it just was failing in this particular case.

(As a follow up note: In order to make a boolean change permanent, I had 
to add the "-P" option to "setsebool".  Things stopped working again 
after I restarted the server until I flipped the boolean again.

# setsebool -P httpd_can_network_connect_db on

Happily, everything now seems to be working with the PHP software 
package that I was configuring.)

In response to

pgsql-general by date

Next:From: Merlin MoncureDate: 2011-04-27 17:06:01
Subject: Re: Best way to construct PostgreSQL ArrayType (_int4) from C int array
Previous:From: Adrian SchreyerDate: 2011-04-27 17:00:47
Subject: Re: Best way to construct PostgreSQL ArrayType (_int4) from C int array

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group