Re: [GENERAL] Unable to connect to Postgresql

On 04/08/2017 06:31 AM, John Iliffe wrote:
> On Saturday 08 April 2017 00:10:14 Adrian Klaver wrote:
>> On 04/07/2017 07:45 PM, Joe Conway wrote:
>> > On 04/07/2017 05:35 PM, Adrian Klaver wrote:
>> >> On 04/07/2017 05:03 PM, John Iliffe wrote:
>> >>>>> Running on Fedora 25 with SELinux in PERMISSIVE mode.  The audit
>> >>>>> log shows no hits on Postgresql.
>> >>>
>> >>> My going in position was/still is, that this is a SELinux security
>> >>> problem
>> >>> but I am finding SELinux to be the most opaque and badly documented
>> >>> software
>> >>> that I have ever had to deal with, which is why it is running in
>> >>> permissive
>> >>> mode at the moment.
>> >>
>> >> Well what I know about SELinux would fit in the navel of a flea(tip
>> >> of the hat to David Niven), so I can not be of much help there. The
>> >> reason I am returned this thread to the list, there are folks that
>> >> do understand it.
>> >
>> > If SELinux is running in permissive I don't see how it could be at
>> > fault for your issue. Did you verify that (getenforce)?
>> >
>> >>> --------------------------
>> >>> [Fri Apr 07 17:03:28.597101 2017] [php7:warn] [pid 1797:tid
>> >>> 140599445419776] [client 192.168.1.10:45127] PHP Warning:
>> >>> pg_connect(): Unable to connect to PostgreSQL server: could not
>> >>> connect to server: No such file or directory\n\tIs the server
>> >>> running locally and
>> >>> accepting\n\tconnections on Unix domain socket
>> >>> "/tmp/.s.PGSQL.5432"? in /httpd/iliffe/testfcgi.php on
>> >>> line 121 ----------------------------
>> >
>> > This might be a silly question, but is PHP running on the same server
>> > as Postgres?
>>
>> To add to this, previously you mentioned:
>>
>> "Also, using the on board firewall (firewalld) to provide a secondary
>> domain where the actual business processes run. "
>>
>> What exactly does that mean?
>>
> There is something rather odd here.
>
> getenforce shows the mode as permissive, which is what I think it is.

If getenforce shows you are in permissive, then selinux is not your
problem, full stop.

> BUT, this morning's logwatch report shows:
>
>  *** Denials ***
>     system_u system_u (tcp_socket): 1 times

selinux will continue to log denials in permissive -- this is useful to
determine what would have been blocked by selinux had it been in
enforcing, which in turn gives you a chance to fix those issues before
turning on enforcing.

For more detail on the selinux logs look in /var/log/audit/audit.log

You definitely have something odd going on though. As you said
elsewhere, using a Unix domain socket connection the firewall should
not get involved either.

Seems like the issue is related to PHP somehow. For example, see:
http://serverfault.com/questions/641329/cannot-connect-to-postgresql-unix-domain-socket

Joe

--
Crunchy Data - http://crunchydata.com
PostgreSQL Support for Secure Enterprises
Consulting, Training, & Open Source Development