Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora SELinux Support (http://www.linux-archive.org/fedora-selinux-support/)
-   -   postgresql with httpd and dotclear (http://www.linux-archive.org/fedora-selinux-support/47751-postgresql-httpd-dotclear.html)

Nicolas Chauvet 02-05-2008 01:02 PM

postgresql with httpd and dotclear
 
Hello !

I try to use apache and postgresql with the dotclear blog engine.
When I try to enter the database information from the admin config
wizard within the browser, have a selinux denial :

audit(1202182131.382:34): avc: denied { name_connect } for pid=2604
comm="httpd" dest=5432 scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket

[root@haderach ~]# ls -Z /home/www/
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t:s0 dotclear

[root@haderach ~]# rpm -q sepostgresql
sepostgresql-8.2.6-1.158.fc8
selinux-policy-3.0.8-81.fc8
selinux-policy-targeted-3.0.8-81.fc8

[root@haderach data]# semodule -l |grep postgre
sepostgresql 1.158

On the other hand, when i try to use phpPgAdmin, it works. But i need to
change: /var/lib/pgsql/data/pg_hba.conf from ident sameuser to
md5.(tryed the same for dotclear without sucess).

Also, from: http://code.google.com/p/sepgsql/wiki/install_memo_Fedora7
As i'm using F-8, i expect not to need the additional recompiled
selinux-policy-2.6.4-38.sepgsql.fc7.noarch.rpm. (don't know if current
F-7 users will still need it?) - At least the .sepsql doen't fit the
same version number

Any tips for this ?


Nicolas (kwizart)

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

KaiGai Kohei 02-05-2008 01:54 PM

postgresql with httpd and dotclear
 
Nicolas Chauvet wrote:

Hello !

I try to use apache and postgresql with the dotclear blog engine.
When I try to enter the database information from the admin config
wizard within the browser, have a selinux denial :

audit(1202182131.382:34): avc: denied { name_connect } for pid=2604
comm="httpd" dest=5432 scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket

[root@haderach ~]# ls -Z /home/www/
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t:s0 dotclear

[root@haderach ~]# rpm -q sepostgresql
sepostgresql-8.2.6-1.158.fc8
selinux-policy-3.0.8-81.fc8
selinux-policy-targeted-3.0.8-81.fc8

[root@haderach data]# semodule -l |grep postgre
sepostgresql 1.158


Can the following command help you?

# setsebool -P httpd_can_network_connect_db=1


On the other hand, when i try to use phpPgAdmin, it works. But i need to
change: /var/lib/pgsql/data/pg_hba.conf from ident sameuser to
md5.(tryed the same for dotclear without sucess).

Also, from: http://code.google.com/p/sepgsql/wiki/install_memo_Fedora7
As i'm using F-8, i expect not to need the additional recompiled
selinux-policy-2.6.4-38.sepgsql.fc7.noarch.rpm. (don't know if current
F-7 users will still need it?) - At least the .sepsql doen't fit the
same version number


The selinux-policy packages with ".sepgsql" are special care for Fedora 7
users, because selinux-policy-2.x series does not contain the definitions
related to database objects (like, db_table, db_column, ...)

You don't need to replace it, whenever sepostgresql works on Fedora 8.

Thanks,


Any tips for this ?


Nicolas (kwizart)

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list




--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

"KH KH" 02-05-2008 08:04 PM

postgresql with httpd and dotclear
 
2008/2/5, KaiGai Kohei <kaigai@ak.jp.nec.com>:
> Nicolas Chauvet wrote:
> > Hello !
> >
> > I try to use apache and postgresql with the dotclear blog engine.
> > When I try to enter the database information from the admin config
> > wizard within the browser, have a selinux denial :
> >
> > audit(1202182131.382:34): avc: denied { name_connect } for pid=2604
> > comm="httpd" dest=5432 scontext=system_u:system_r:httpd_t:s0
> > tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket
> >
> > [root@haderach ~]# ls -Z /home/www/
> > drwxr-xr-x root root system_u:object_r:httpd_sys_content_t:s0 dotclear
> >
> > [root@haderach ~]# rpm -q sepostgresql
> > sepostgresql-8.2.6-1.158.fc8
> > selinux-policy-3.0.8-81.fc8
> > selinux-policy-targeted-3.0.8-81.fc8
> >
> > [root@haderach data]# semodule -l |grep postgre
> > sepostgresql 1.158
>
> Can the following command help you?
>
> # setsebool -P httpd_can_network_connect_db=1
>
I does: the error disappeared, but i have another:
from /var/log/sepostgresql.log
FATAL: sepgsql_system_getpeercon(734): 'user_u:user_r:user_t' is not
a valid context

I have also noticed an error in the same log file:
LOG: could not open directory "/usr/share/sepgsql/timezone": File or
directory doens't exist
Where i've made a ln -s timezoneset /usr/share/sepgsql/timezone.

About phpPgAdmin: now i can connect but i have this all the time:
--------------
ERROR: SELinux: denied { set_param }
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:sepgsql_db_t:s0 tclass=db_database
name=dotclear
STATEMENT: set datestyle='ISO'
--------------
Seems related to the command used to set the passwd ?!
psql -d dotclear -c "alter user dotclear with password 'my_passwd'"
I have used that previously from a wiki, without noticing well what
means templates1:
psql -d template1 -c "alter user dotclear with password 'my_passwd'"
and the same error sometimes appears with template1 instead of dotclear

> > On the other hand, when i try to use phpPgAdmin, it works. But i need to
> > change: /var/lib/pgsql/data/pg_hba.conf from ident sameuser to
> > md5.(tryed the same for dotclear without sucess).
Was /var/lib/sepgsql/data/pg_hba.conf from the above

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Kohei KaiGai 02-06-2008 12:02 AM

postgresql with httpd and dotclear
 
KH KH wrote:

2008/2/5, KaiGai Kohei <kaigai@ak.jp.nec.com>:

Nicolas Chauvet wrote:

Hello !

I try to use apache and postgresql with the dotclear blog engine.
When I try to enter the database information from the admin config
wizard within the browser, have a selinux denial :

audit(1202182131.382:34): avc: denied { name_connect } for pid=2604
comm="httpd" dest=5432 scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket

[root@haderach ~]# ls -Z /home/www/
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t:s0 dotclear

[root@haderach ~]# rpm -q sepostgresql
sepostgresql-8.2.6-1.158.fc8
selinux-policy-3.0.8-81.fc8
selinux-policy-targeted-3.0.8-81.fc8

[root@haderach data]# semodule -l |grep postgre
sepostgresql 1.158

Can the following command help you?

# setsebool -P httpd_can_network_connect_db=1


I does: the error disappeared, but i have another:
from /var/log/sepostgresql.log
FATAL: sepgsql_system_getpeercon(734): 'user_u:user_r:user_t' is not
a valid context


I guess you try to connect SE-PostgreSQL runnung on another host without
any labeled networking configuration.
SE-PostgreSQL tries to apply fallbacked security context when it cannot
obtain peer's context. The 'user_u:user_r:user_t' is default fallbacked
context.

Please confirm whether mcstransd is running, or not.
If not running, please start it.


I have also noticed an error in the same log file:
LOG: could not open directory "/usr/share/sepgsql/timezone": File or
directory doens't exist
Where i've made a ln -s timezoneset /usr/share/sepgsql/timezone.


It seems to me packageing error. I'll fix soon.


About phpPgAdmin: now i can connect but i have this all the time:
--------------
ERROR: SELinux: denied { set_param }
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:sepgsql_db_t:s0 tclass=db_database
name=dotclear
STATEMENT: set datestyle='ISO'
--------------


The default security policy for SE-PostgreSQL does not allow to execute
"SET ..." statement by non-administratvie users.
However, it might not be a appropriate policy. I'll update this part of
policy on the next update. please wait for some days.


Seems related to the command used to set the passwd ?!
psql -d dotclear -c "alter user dotclear with password 'my_passwd'"
I have used that previously from a wiki, without noticing well what
means templates1:
psql -d template1 -c "alter user dotclear with password 'my_passwd'"
and the same error sometimes appears with template1 instead of dotclear


Is it really same errors?
tuple:{update} on sepgsql_sysobj_t should be evaluated with ALTER USER statement.

If you want non-administrative users to execute the statement,
"sepgsql_enable_users_ddl" boolean should be turned on.

Thanks,


On the other hand, when i try to use phpPgAdmin, it works. But i need to
change: /var/lib/pgsql/data/pg_hba.conf from ident sameuser to
md5.(tryed the same for dotclear without sucess).

Was /var/lib/sepgsql/data/pg_hba.conf from the above


--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

"KH KH" 02-06-2008 11:23 AM

postgresql with httpd and dotclear
 
2008/2/6, Kohei KaiGai <kaigai@ak.jp.nec.com>:
> KH KH wrote:
> > 2008/2/5, KaiGai Kohei <kaigai@ak.jp.nec.com>:
> >> Nicolas Chauvet wrote:
> >>> Hello !
> >>>
> >>> I try to use apache and postgresql with the dotclear blog engine.
> >>> When I try to enter the database information from the admin config
> >>> wizard within the browser, have a selinux denial :
> >>>
> >>> audit(1202182131.382:34): avc: denied { name_connect } for pid=2604
> >>> comm="httpd" dest=5432 scontext=system_u:system_r:httpd_t:s0
> >>> tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket
> >>>
> >>> [root@haderach ~]# ls -Z /home/www/
> >>> drwxr-xr-x root root system_u:object_r:httpd_sys_content_t:s0 dotclear
> >>>
> >>> [root@haderach ~]# rpm -q sepostgresql
> >>> sepostgresql-8.2.6-1.158.fc8
> >>> selinux-policy-3.0.8-81.fc8
> >>> selinux-policy-targeted-3.0.8-81.fc8
> >>>
> >>> [root@haderach data]# semodule -l |grep postgre
> >>> sepostgresql 1.158
> >> Can the following command help you?
> >>
> >> # setsebool -P httpd_can_network_connect_db=1
> >>
> > I does: the error disappeared, but i have another:
> > from /var/log/sepostgresql.log
> > FATAL: sepgsql_system_getpeercon(734): 'user_u:user_r:user_t' is not
> > a valid context
>
> I guess you try to connect SE-PostgreSQL runnung on another host without
> any labeled networking configuration.
> SE-PostgreSQL tries to apply fallbacked security context when it cannot
> obtain peer's context. The 'user_u:user_r:user_t' is default fallbacked
> context.
>
> Please confirm whether mcstransd is running, or not.
> If not running, please start it.
mcstans installed and started, this solved many problems.
Actually i'm running SE-PostgreSQL on my server host with phpPgAdmin
on the same host but browsed from my workstation.

Now i can enter the parameters from the database and setup my blog engine, thx.
It remains some Selinux denials with sendmail (dotclear want to send a
mail to the admin of the blog engine and with phpPgAdmin

Selinux denials with sendmail:
-------------------
audit(1202299741.450:42): avc: denied { search } for pid=12667
comm="sendmail" name="mail" dev=sda6 ino=1573785
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:etc_mail_t:s0 tclass=dir
audit(1202299741.450:43): avc: denied { search } for pid=12667
comm="sendmail" name="mail" dev=sda6 ino=1573785
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:etc_mail_t:s0 tclass=dir
audit(1202299741.451:44): avc: denied { getattr } for pid=12667
comm="sendmail" path="/etc/mail" dev=sda6 ino=1573785
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:etc_mail_t:s0 tclass=dir
-------------------

> > I have also noticed an error in the same log file:
> > LOG: could not open directory "/usr/share/sepgsql/timezone": File or
> > directory doens't exist
> > Where i've made a ln -s timezoneset /usr/share/sepgsql/timezone.
>
> It seems to me packageing error. I'll fix soon.
>
> > About phpPgAdmin: now i can connect but i have this all the time:
> > --------------
> > ERROR: SELinux: denied { set_param }
> > scontext=system_u:system_r:httpd_t:s0
> > tcontext=system_u:object_r:sepgsql_db_t:s0 tclass=db_database
> > name=dotclear
> > STATEMENT: set datestyle='ISO'
> > --------------
>
> The default security policy for SE-PostgreSQL does not allow to execute
> "SET ..." statement by non-administratvie users.
> However, it might not be a appropriate policy. I'll update this part of
> policy on the next update. please wait for some days.
>
> > Seems related to the command used to set the passwd ?!
> > psql -d dotclear -c "alter user dotclear with password 'my_passwd'"
> > I have used that previously from a wiki, without noticing well what
> > means templates1:
> > psql -d template1 -c "alter user dotclear with password 'my_passwd'"
> > and the same error sometimes appears with template1 instead of dotclear
>
> Is it really same errors?
This error also appears all the time with phpPgAdmin but with a
different name={dotclear,template1} . The second one appears when I
want to delete a unused database:
-------------------------
Erreur SQL :

ERROR: SELinux: denied { set_param }
scontext=system_u:system_r:httpd_t
tcontext=system_u:object_r:sepgsql_db_t tclass=db_database
name=template1

Dans l'instruction :
set datestyle='ISO'
-------------------------
Erreur SQL :

ERROR: SELinux: denied { drop } scontext=system_u:system_r:httpd_t
tcontext=system_u:object_r:sepgsql_db_t tclass=db_database
name=postgres

Dans l'instruction :
DROP DATABASE "postgres"
--------------------------
> tuple:{update} on sepgsql_sysobj_t should be evaluated with ALTER USER statement.
>
> If you want non-administrative users to execute the statement,
> "sepgsql_enable_users_ddl" boolean should be turned on.
I have turn this on also, actually even connected from sepgsql user
show the error.

Thx for your help!

Nicolas (kwizart )

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Daniel J Walsh 02-06-2008 02:26 PM

postgresql with httpd and dotclear
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

KH KH wrote:
> 2008/2/6, Kohei KaiGai <kaigai@ak.jp.nec.com>:
>> KH KH wrote:
>>> 2008/2/5, KaiGai Kohei <kaigai@ak.jp.nec.com>:
>>>> Nicolas Chauvet wrote:
>>>>> Hello !
>>>>>
>>>>> I try to use apache and postgresql with the dotclear blog engine.
>>>>> When I try to enter the database information from the admin config
>>>>> wizard within the browser, have a selinux denial :
>>>>>
>>>>> audit(1202182131.382:34): avc: denied { name_connect } for pid=2604
>>>>> comm="httpd" dest=5432 scontext=system_u:system_r:httpd_t:s0
>>>>> tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket
>>>>>
>>>>> [root@haderach ~]# ls -Z /home/www/
>>>>> drwxr-xr-x root root system_u:object_r:httpd_sys_content_t:s0 dotclear
>>>>>
>>>>> [root@haderach ~]# rpm -q sepostgresql
>>>>> sepostgresql-8.2.6-1.158.fc8
>>>>> selinux-policy-3.0.8-81.fc8
>>>>> selinux-policy-targeted-3.0.8-81.fc8
>>>>>
>>>>> [root@haderach data]# semodule -l |grep postgre
>>>>> sepostgresql 1.158
>>>> Can the following command help you?
>>>>
>>>> # setsebool -P httpd_can_network_connect_db=1
>>>>
>>> I does: the error disappeared, but i have another:
>>> from /var/log/sepostgresql.log
>>> FATAL: sepgsql_system_getpeercon(734): 'user_u:user_r:user_t' is not
>>> a valid context
>> I guess you try to connect SE-PostgreSQL runnung on another host without
>> any labeled networking configuration.
>> SE-PostgreSQL tries to apply fallbacked security context when it cannot
>> obtain peer's context. The 'user_u:user_r:user_t' is default fallbacked
>> context.
>>
>> Please confirm whether mcstransd is running, or not.
>> If not running, please start it.
> mcstans installed and started, this solved many problems.
> Actually i'm running SE-PostgreSQL on my server host with phpPgAdmin
> on the same host but browsed from my workstation.
>
> Now i can enter the parameters from the database and setup my blog engine, thx.
> It remains some Selinux denials with sendmail (dotclear want to send a
> mail to the admin of the blog engine and with phpPgAdmin
>
> Selinux denials with sendmail:
> -------------------
> audit(1202299741.450:42): avc: denied { search } for pid=12667
> comm="sendmail" name="mail" dev=sda6 ino=1573785
> scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:etc_mail_t:s0 tclass=dir
> audit(1202299741.450:43): avc: denied { search } for pid=12667
> comm="sendmail" name="mail" dev=sda6 ino=1573785
> scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:etc_mail_t:s0 tclass=dir
> audit(1202299741.451:44): avc: denied { getattr } for pid=12667
> comm="sendmail" path="/etc/mail" dev=sda6 ino=1573785
> scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:etc_mail_t:s0 tclass=dir
Turn on the httpd_can_sendmail boolean

> -------------------
>
>>> I have also noticed an error in the same log file:
>>> LOG: could not open directory "/usr/share/sepgsql/timezone": File or
>>> directory doens't exist
>>> Where i've made a ln -s timezoneset /usr/share/sepgsql/timezone.
>> It seems to me packageing error. I'll fix soon.
>>
>>> About phpPgAdmin: now i can connect but i have this all the time:
>>> --------------
>>> ERROR: SELinux: denied { set_param }
>>> scontext=system_u:system_r:httpd_t:s0
>>> tcontext=system_u:object_r:sepgsql_db_t:s0 tclass=db_database
>>> name=dotclear
>>> STATEMENT: set datestyle='ISO'
>>> --------------
>> The default security policy for SE-PostgreSQL does not allow to execute
>> "SET ..." statement by non-administratvie users.
>> However, it might not be a appropriate policy. I'll update this part of
>> policy on the next update. please wait for some days.
>>
>>> Seems related to the command used to set the passwd ?!
>>> psql -d dotclear -c "alter user dotclear with password 'my_passwd'"
>>> I have used that previously from a wiki, without noticing well what
>>> means templates1:
>>> psql -d template1 -c "alter user dotclear with password 'my_passwd'"
>>> and the same error sometimes appears with template1 instead of dotclear
>> Is it really same errors?
> This error also appears all the time with phpPgAdmin but with a
> different name={dotclear,template1} . The second one appears when I
> want to delete a unused database:
> -------------------------
> Erreur SQL :
>
> ERROR: SELinux: denied { set_param }
> scontext=system_u:system_r:httpd_t
> tcontext=system_u:object_r:sepgsql_db_t tclass=db_database
> name=template1
>
> Dans l'instruction :
> set datestyle='ISO'
> -------------------------
> Erreur SQL :
>
> ERROR: SELinux: denied { drop } scontext=system_u:system_r:httpd_t
> tcontext=system_u:object_r:sepgsql_db_t tclass=db_database
> name=postgres
>
> Dans l'instruction :
> DROP DATABASE "postgres"
> --------------------------
>> tuple:{update} on sepgsql_sysobj_t should be evaluated with ALTER USER statement.
>>
>> If you want non-administrative users to execute the statement,
>> "sepgsql_enable_users_ddl" boolean should be turned on.
> I have turn this on also, actually even connected from sepgsql user
> show the error.
>
> Thx for your help!
>
> Nicolas (kwizart )
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkep0cMACgkQrlYvE4MpobNDTwCggfNV7xx00Q j60BSWQTBHVsLz
2AcAn0T/VNEYy/QFlp0ZdkXPLALcIwnu
=tLmS
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list


All times are GMT. The time now is 05:31 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.