postgresql with httpd and dotclear
Hello !
I try to use apache and postgresql with the dotclear blog engine. When I try to enter the database information from the admin config wizard within the browser, have a selinux denial : audit(1202182131.382:34): avc: denied { name_connect } for pid=2604 comm="httpd" dest=5432 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket [root@haderach ~]# ls -Z /home/www/ drwxr-xr-x root root system_u:object_r:httpd_sys_content_t:s0 dotclear [root@haderach ~]# rpm -q sepostgresql sepostgresql-8.2.6-1.158.fc8 selinux-policy-3.0.8-81.fc8 selinux-policy-targeted-3.0.8-81.fc8 [root@haderach data]# semodule -l |grep postgre sepostgresql 1.158 On the other hand, when i try to use phpPgAdmin, it works. But i need to change: /var/lib/pgsql/data/pg_hba.conf from ident sameuser to md5.(tryed the same for dotclear without sucess). Also, from: http://code.google.com/p/sepgsql/wiki/install_memo_Fedora7 As i'm using F-8, i expect not to need the additional recompiled selinux-policy-2.6.4-38.sepgsql.fc7.noarch.rpm. (don't know if current F-7 users will still need it?) - At least the .sepsql doen't fit the same version number Any tips for this ? Nicolas (kwizart) -- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list |
postgresql with httpd and dotclear
Nicolas Chauvet wrote:
Hello ! I try to use apache and postgresql with the dotclear blog engine. When I try to enter the database information from the admin config wizard within the browser, have a selinux denial : audit(1202182131.382:34): avc: denied { name_connect } for pid=2604 comm="httpd" dest=5432 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket [root@haderach ~]# ls -Z /home/www/ drwxr-xr-x root root system_u:object_r:httpd_sys_content_t:s0 dotclear [root@haderach ~]# rpm -q sepostgresql sepostgresql-8.2.6-1.158.fc8 selinux-policy-3.0.8-81.fc8 selinux-policy-targeted-3.0.8-81.fc8 [root@haderach data]# semodule -l |grep postgre sepostgresql 1.158 Can the following command help you? # setsebool -P httpd_can_network_connect_db=1 On the other hand, when i try to use phpPgAdmin, it works. But i need to change: /var/lib/pgsql/data/pg_hba.conf from ident sameuser to md5.(tryed the same for dotclear without sucess). Also, from: http://code.google.com/p/sepgsql/wiki/install_memo_Fedora7 As i'm using F-8, i expect not to need the additional recompiled selinux-policy-2.6.4-38.sepgsql.fc7.noarch.rpm. (don't know if current F-7 users will still need it?) - At least the .sepsql doen't fit the same version number The selinux-policy packages with ".sepgsql" are special care for Fedora 7 users, because selinux-policy-2.x series does not contain the definitions related to database objects (like, db_table, db_column, ...) You don't need to replace it, whenever sepostgresql works on Fedora 8. Thanks, Any tips for this ? Nicolas (kwizart) -- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list -- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list |
postgresql with httpd and dotclear
2008/2/5, KaiGai Kohei <kaigai@ak.jp.nec.com>:
> Nicolas Chauvet wrote: > > Hello ! > > > > I try to use apache and postgresql with the dotclear blog engine. > > When I try to enter the database information from the admin config > > wizard within the browser, have a selinux denial : > > > > audit(1202182131.382:34): avc: denied { name_connect } for pid=2604 > > comm="httpd" dest=5432 scontext=system_u:system_r:httpd_t:s0 > > tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket > > > > [root@haderach ~]# ls -Z /home/www/ > > drwxr-xr-x root root system_u:object_r:httpd_sys_content_t:s0 dotclear > > > > [root@haderach ~]# rpm -q sepostgresql > > sepostgresql-8.2.6-1.158.fc8 > > selinux-policy-3.0.8-81.fc8 > > selinux-policy-targeted-3.0.8-81.fc8 > > > > [root@haderach data]# semodule -l |grep postgre > > sepostgresql 1.158 > > Can the following command help you? > > # setsebool -P httpd_can_network_connect_db=1 > I does: the error disappeared, but i have another: from /var/log/sepostgresql.log FATAL: sepgsql_system_getpeercon(734): 'user_u:user_r:user_t' is not a valid context I have also noticed an error in the same log file: LOG: could not open directory "/usr/share/sepgsql/timezone": File or directory doens't exist Where i've made a ln -s timezoneset /usr/share/sepgsql/timezone. About phpPgAdmin: now i can connect but i have this all the time: -------------- ERROR: SELinux: denied { set_param } scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:sepgsql_db_t:s0 tclass=db_database name=dotclear STATEMENT: set datestyle='ISO' -------------- Seems related to the command used to set the passwd ?! psql -d dotclear -c "alter user dotclear with password 'my_passwd'" I have used that previously from a wiki, without noticing well what means templates1: psql -d template1 -c "alter user dotclear with password 'my_passwd'" and the same error sometimes appears with template1 instead of dotclear > > On the other hand, when i try to use phpPgAdmin, it works. But i need to > > change: /var/lib/pgsql/data/pg_hba.conf from ident sameuser to > > md5.(tryed the same for dotclear without sucess). Was /var/lib/sepgsql/data/pg_hba.conf from the above -- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list |
postgresql with httpd and dotclear
KH KH wrote:
2008/2/5, KaiGai Kohei <kaigai@ak.jp.nec.com>: Nicolas Chauvet wrote: Hello ! I try to use apache and postgresql with the dotclear blog engine. When I try to enter the database information from the admin config wizard within the browser, have a selinux denial : audit(1202182131.382:34): avc: denied { name_connect } for pid=2604 comm="httpd" dest=5432 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket [root@haderach ~]# ls -Z /home/www/ drwxr-xr-x root root system_u:object_r:httpd_sys_content_t:s0 dotclear [root@haderach ~]# rpm -q sepostgresql sepostgresql-8.2.6-1.158.fc8 selinux-policy-3.0.8-81.fc8 selinux-policy-targeted-3.0.8-81.fc8 [root@haderach data]# semodule -l |grep postgre sepostgresql 1.158 Can the following command help you? # setsebool -P httpd_can_network_connect_db=1 I does: the error disappeared, but i have another: from /var/log/sepostgresql.log FATAL: sepgsql_system_getpeercon(734): 'user_u:user_r:user_t' is not a valid context I guess you try to connect SE-PostgreSQL runnung on another host without any labeled networking configuration. SE-PostgreSQL tries to apply fallbacked security context when it cannot obtain peer's context. The 'user_u:user_r:user_t' is default fallbacked context. Please confirm whether mcstransd is running, or not. If not running, please start it. I have also noticed an error in the same log file: LOG: could not open directory "/usr/share/sepgsql/timezone": File or directory doens't exist Where i've made a ln -s timezoneset /usr/share/sepgsql/timezone. It seems to me packageing error. I'll fix soon. About phpPgAdmin: now i can connect but i have this all the time: -------------- ERROR: SELinux: denied { set_param } scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:sepgsql_db_t:s0 tclass=db_database name=dotclear STATEMENT: set datestyle='ISO' -------------- The default security policy for SE-PostgreSQL does not allow to execute "SET ..." statement by non-administratvie users. However, it might not be a appropriate policy. I'll update this part of policy on the next update. please wait for some days. Seems related to the command used to set the passwd ?! psql -d dotclear -c "alter user dotclear with password 'my_passwd'" I have used that previously from a wiki, without noticing well what means templates1: psql -d template1 -c "alter user dotclear with password 'my_passwd'" and the same error sometimes appears with template1 instead of dotclear Is it really same errors? tuple:{update} on sepgsql_sysobj_t should be evaluated with ALTER USER statement. If you want non-administrative users to execute the statement, "sepgsql_enable_users_ddl" boolean should be turned on. Thanks, On the other hand, when i try to use phpPgAdmin, it works. But i need to change: /var/lib/pgsql/data/pg_hba.conf from ident sameuser to md5.(tryed the same for dotclear without sucess). Was /var/lib/sepgsql/data/pg_hba.conf from the above -- OSS Platform Development Division, NEC KaiGai Kohei <kaigai@ak.jp.nec.com> -- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list |
postgresql with httpd and dotclear
2008/2/6, Kohei KaiGai <kaigai@ak.jp.nec.com>:
> KH KH wrote: > > 2008/2/5, KaiGai Kohei <kaigai@ak.jp.nec.com>: > >> Nicolas Chauvet wrote: > >>> Hello ! > >>> > >>> I try to use apache and postgresql with the dotclear blog engine. > >>> When I try to enter the database information from the admin config > >>> wizard within the browser, have a selinux denial : > >>> > >>> audit(1202182131.382:34): avc: denied { name_connect } for pid=2604 > >>> comm="httpd" dest=5432 scontext=system_u:system_r:httpd_t:s0 > >>> tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket > >>> > >>> [root@haderach ~]# ls -Z /home/www/ > >>> drwxr-xr-x root root system_u:object_r:httpd_sys_content_t:s0 dotclear > >>> > >>> [root@haderach ~]# rpm -q sepostgresql > >>> sepostgresql-8.2.6-1.158.fc8 > >>> selinux-policy-3.0.8-81.fc8 > >>> selinux-policy-targeted-3.0.8-81.fc8 > >>> > >>> [root@haderach data]# semodule -l |grep postgre > >>> sepostgresql 1.158 > >> Can the following command help you? > >> > >> # setsebool -P httpd_can_network_connect_db=1 > >> > > I does: the error disappeared, but i have another: > > from /var/log/sepostgresql.log > > FATAL: sepgsql_system_getpeercon(734): 'user_u:user_r:user_t' is not > > a valid context > > I guess you try to connect SE-PostgreSQL runnung on another host without > any labeled networking configuration. > SE-PostgreSQL tries to apply fallbacked security context when it cannot > obtain peer's context. The 'user_u:user_r:user_t' is default fallbacked > context. > > Please confirm whether mcstransd is running, or not. > If not running, please start it. mcstans installed and started, this solved many problems. Actually i'm running SE-PostgreSQL on my server host with phpPgAdmin on the same host but browsed from my workstation. Now i can enter the parameters from the database and setup my blog engine, thx. It remains some Selinux denials with sendmail (dotclear want to send a mail to the admin of the blog engine and with phpPgAdmin Selinux denials with sendmail: ------------------- audit(1202299741.450:42): avc: denied { search } for pid=12667 comm="sendmail" name="mail" dev=sda6 ino=1573785 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:etc_mail_t:s0 tclass=dir audit(1202299741.450:43): avc: denied { search } for pid=12667 comm="sendmail" name="mail" dev=sda6 ino=1573785 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:etc_mail_t:s0 tclass=dir audit(1202299741.451:44): avc: denied { getattr } for pid=12667 comm="sendmail" path="/etc/mail" dev=sda6 ino=1573785 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:etc_mail_t:s0 tclass=dir ------------------- > > I have also noticed an error in the same log file: > > LOG: could not open directory "/usr/share/sepgsql/timezone": File or > > directory doens't exist > > Where i've made a ln -s timezoneset /usr/share/sepgsql/timezone. > > It seems to me packageing error. I'll fix soon. > > > About phpPgAdmin: now i can connect but i have this all the time: > > -------------- > > ERROR: SELinux: denied { set_param } > > scontext=system_u:system_r:httpd_t:s0 > > tcontext=system_u:object_r:sepgsql_db_t:s0 tclass=db_database > > name=dotclear > > STATEMENT: set datestyle='ISO' > > -------------- > > The default security policy for SE-PostgreSQL does not allow to execute > "SET ..." statement by non-administratvie users. > However, it might not be a appropriate policy. I'll update this part of > policy on the next update. please wait for some days. > > > Seems related to the command used to set the passwd ?! > > psql -d dotclear -c "alter user dotclear with password 'my_passwd'" > > I have used that previously from a wiki, without noticing well what > > means templates1: > > psql -d template1 -c "alter user dotclear with password 'my_passwd'" > > and the same error sometimes appears with template1 instead of dotclear > > Is it really same errors? This error also appears all the time with phpPgAdmin but with a different name={dotclear,template1} . The second one appears when I want to delete a unused database: ------------------------- Erreur SQL : ERROR: SELinux: denied { set_param } scontext=system_u:system_r:httpd_t tcontext=system_u:object_r:sepgsql_db_t tclass=db_database name=template1 Dans l'instruction : set datestyle='ISO' ------------------------- Erreur SQL : ERROR: SELinux: denied { drop } scontext=system_u:system_r:httpd_t tcontext=system_u:object_r:sepgsql_db_t tclass=db_database name=postgres Dans l'instruction : DROP DATABASE "postgres" -------------------------- > tuple:{update} on sepgsql_sysobj_t should be evaluated with ALTER USER statement. > > If you want non-administrative users to execute the statement, > "sepgsql_enable_users_ddl" boolean should be turned on. I have turn this on also, actually even connected from sepgsql user show the error. Thx for your help! Nicolas (kwizart ) -- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list |
postgresql with httpd and dotclear
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 KH KH wrote: > 2008/2/6, Kohei KaiGai <kaigai@ak.jp.nec.com>: >> KH KH wrote: >>> 2008/2/5, KaiGai Kohei <kaigai@ak.jp.nec.com>: >>>> Nicolas Chauvet wrote: >>>>> Hello ! >>>>> >>>>> I try to use apache and postgresql with the dotclear blog engine. >>>>> When I try to enter the database information from the admin config >>>>> wizard within the browser, have a selinux denial : >>>>> >>>>> audit(1202182131.382:34): avc: denied { name_connect } for pid=2604 >>>>> comm="httpd" dest=5432 scontext=system_u:system_r:httpd_t:s0 >>>>> tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket >>>>> >>>>> [root@haderach ~]# ls -Z /home/www/ >>>>> drwxr-xr-x root root system_u:object_r:httpd_sys_content_t:s0 dotclear >>>>> >>>>> [root@haderach ~]# rpm -q sepostgresql >>>>> sepostgresql-8.2.6-1.158.fc8 >>>>> selinux-policy-3.0.8-81.fc8 >>>>> selinux-policy-targeted-3.0.8-81.fc8 >>>>> >>>>> [root@haderach data]# semodule -l |grep postgre >>>>> sepostgresql 1.158 >>>> Can the following command help you? >>>> >>>> # setsebool -P httpd_can_network_connect_db=1 >>>> >>> I does: the error disappeared, but i have another: >>> from /var/log/sepostgresql.log >>> FATAL: sepgsql_system_getpeercon(734): 'user_u:user_r:user_t' is not >>> a valid context >> I guess you try to connect SE-PostgreSQL runnung on another host without >> any labeled networking configuration. >> SE-PostgreSQL tries to apply fallbacked security context when it cannot >> obtain peer's context. The 'user_u:user_r:user_t' is default fallbacked >> context. >> >> Please confirm whether mcstransd is running, or not. >> If not running, please start it. > mcstans installed and started, this solved many problems. > Actually i'm running SE-PostgreSQL on my server host with phpPgAdmin > on the same host but browsed from my workstation. > > Now i can enter the parameters from the database and setup my blog engine, thx. > It remains some Selinux denials with sendmail (dotclear want to send a > mail to the admin of the blog engine and with phpPgAdmin > > Selinux denials with sendmail: > ------------------- > audit(1202299741.450:42): avc: denied { search } for pid=12667 > comm="sendmail" name="mail" dev=sda6 ino=1573785 > scontext=system_u:system_r:httpd_t:s0 > tcontext=system_u:object_r:etc_mail_t:s0 tclass=dir > audit(1202299741.450:43): avc: denied { search } for pid=12667 > comm="sendmail" name="mail" dev=sda6 ino=1573785 > scontext=system_u:system_r:httpd_t:s0 > tcontext=system_u:object_r:etc_mail_t:s0 tclass=dir > audit(1202299741.451:44): avc: denied { getattr } for pid=12667 > comm="sendmail" path="/etc/mail" dev=sda6 ino=1573785 > scontext=system_u:system_r:httpd_t:s0 > tcontext=system_u:object_r:etc_mail_t:s0 tclass=dir Turn on the httpd_can_sendmail boolean > ------------------- > >>> I have also noticed an error in the same log file: >>> LOG: could not open directory "/usr/share/sepgsql/timezone": File or >>> directory doens't exist >>> Where i've made a ln -s timezoneset /usr/share/sepgsql/timezone. >> It seems to me packageing error. I'll fix soon. >> >>> About phpPgAdmin: now i can connect but i have this all the time: >>> -------------- >>> ERROR: SELinux: denied { set_param } >>> scontext=system_u:system_r:httpd_t:s0 >>> tcontext=system_u:object_r:sepgsql_db_t:s0 tclass=db_database >>> name=dotclear >>> STATEMENT: set datestyle='ISO' >>> -------------- >> The default security policy for SE-PostgreSQL does not allow to execute >> "SET ..." statement by non-administratvie users. >> However, it might not be a appropriate policy. I'll update this part of >> policy on the next update. please wait for some days. >> >>> Seems related to the command used to set the passwd ?! >>> psql -d dotclear -c "alter user dotclear with password 'my_passwd'" >>> I have used that previously from a wiki, without noticing well what >>> means templates1: >>> psql -d template1 -c "alter user dotclear with password 'my_passwd'" >>> and the same error sometimes appears with template1 instead of dotclear >> Is it really same errors? > This error also appears all the time with phpPgAdmin but with a > different name={dotclear,template1} . The second one appears when I > want to delete a unused database: > ------------------------- > Erreur SQL : > > ERROR: SELinux: denied { set_param } > scontext=system_u:system_r:httpd_t > tcontext=system_u:object_r:sepgsql_db_t tclass=db_database > name=template1 > > Dans l'instruction : > set datestyle='ISO' > ------------------------- > Erreur SQL : > > ERROR: SELinux: denied { drop } scontext=system_u:system_r:httpd_t > tcontext=system_u:object_r:sepgsql_db_t tclass=db_database > name=postgres > > Dans l'instruction : > DROP DATABASE "postgres" > -------------------------- >> tuple:{update} on sepgsql_sysobj_t should be evaluated with ALTER USER statement. >> >> If you want non-administrative users to execute the statement, >> "sepgsql_enable_users_ddl" boolean should be turned on. > I have turn this on also, actually even connected from sepgsql user > show the error. > > Thx for your help! > > Nicolas (kwizart ) > > -- > fedora-selinux-list mailing list > fedora-selinux-list@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkep0cMACgkQrlYvE4MpobNDTwCggfNV7xx00Q j60BSWQTBHVsLz 2AcAn0T/VNEYy/QFlp0ZdkXPLALcIwnu =tLmS -----END PGP SIGNATURE----- -- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list |
| All times are GMT. The time now is 11:11 AM. |
VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.