On 04/08/2017 06:26 AM, John Iliffe wrote:
> On Saturday 08 April 2017 00:10:14 Adrian Klaver wrote:
>> On 04/07/2017 07:45 PM, Joe Conway wrote:
>>> On 04/07/2017 05:35 PM, Adrian Klaver wrote:
>>>> On 04/07/2017 05:03 PM, John Iliffe wrote:
>>>>>>> Running on Fedora 25 with SELinux in PERMISSIVE mode. The audit
>>>>>>> log shows no hits on Postgresql.
>>>>>
>>>>> My going in position was/still is, that this is a SELinux security
>>>>> problem
>>>>> but I am finding SELinux to be the most opaque and badly documented
>>>>> software
>>>>> that I have ever had to deal with, which is why it is running in
>>>>> permissive
>>>>> mode at the moment.
>>>>
>>>> Well what I know about SELinux would fit in the navel of a flea(tip
>>>> of the hat to David Niven), so I can not be of much help there. The
>>>> reason I am returned this thread to the list, there are folks that
>>>> do understand it.
>>>
>>> If SELinux is running in permissive I don't see how it could be at
>>> fault for your issue. Did you verify that (getenforce)?
>>>
>>>>> --------------------------
>>>>> [Fri Apr 07 17:03:28.597101 2017] [php7:warn] [pid 1797:tid
>>>>> 140599445419776] [client 192.168.1.10:45127] PHP Warning:
>>>>> pg_connect(): Unable to connect to PostgreSQL server: could not
>>>>> connect to server: No such file or directory\n\tIs the server
>>>>> running locally and
>>>>> accepting\n\tconnections on Unix domain socket
>>>>> "/tmp/.s.PGSQL.5432"? in /httpd/iliffe/testfcgi.php on
>>>>> line 121 ----------------------------
>>>
>>> This might be a silly question, but is PHP running on the same server
>>> as Postgres?
>>
>> To add to this, previously you mentioned:
>>
>> "Also, using the on board firewall (firewalld) to provide a secondary
>> domain where the actual business processes run. "
>>
>> What exactly does that mean?
> I'm trying/planning to use firewalld to keep certain remote addresses from
> connecting to the mail server. Since I have it anyway, I want to
> strengthen the security by moving non-Internet connections internal of that
> firewall so only Apache is exposed to the Internet and the databases, etc,
> are internal.
>
> This is a Unix domain socket connection so I don't think the firewall should
> get involved.
So what if you change the connection to use -h localhost?
>
> Since you raised the question, I added port 5432 to the open list in
> firewalld but it didn't make any difference, still not connecting.
>>
>>> HTH,
>>>
>>> Joe
>
--
Adrian Klaver
adrian.klaver@aklaver.com