From: | John Iliffe <john(dot)iliffe(at)iliffe(dot)ca> |
---|---|
To: | Adrian Klaver <adrian(dot)klaver(at)aklaver(dot)com> |
Cc: | Joe Conway <mail(at)joeconway(dot)com>, "pgsql-general" <pgsql-general(at)postgresql(dot)org> |
Subject: | Re: Unable to connect to Postgresql |
Date: | 2017-04-08 13:31:58 |
Message-ID: | 201704080931.58746.john.iliffe@iliffe.ca |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
On Saturday 08 April 2017 00:10:14 Adrian Klaver wrote:
> On 04/07/2017 07:45 PM, Joe Conway wrote:
> > On 04/07/2017 05:35 PM, Adrian Klaver wrote:
> >> On 04/07/2017 05:03 PM, John Iliffe wrote:
> >>>>> Running on Fedora 25 with SELinux in PERMISSIVE mode. The audit
> >>>>> log shows no hits on Postgresql.
> >>>
> >>> My going in position was/still is, that this is a SELinux security
> >>> problem
> >>> but I am finding SELinux to be the most opaque and badly documented
> >>> software
> >>> that I have ever had to deal with, which is why it is running in
> >>> permissive
> >>> mode at the moment.
> >>
> >> Well what I know about SELinux would fit in the navel of a flea(tip
> >> of the hat to David Niven), so I can not be of much help there. The
> >> reason I am returned this thread to the list, there are folks that
> >> do understand it.
> >
> > If SELinux is running in permissive I don't see how it could be at
> > fault for your issue. Did you verify that (getenforce)?
> >
> >>> --------------------------
> >>> [Fri Apr 07 17:03:28.597101 2017] [php7:warn] [pid 1797:tid
> >>> 140599445419776] [client 192.168.1.10:45127] PHP Warning:
> >>> pg_connect(): Unable to connect to PostgreSQL server: could not
> >>> connect to server: No such file or directory\n\tIs the server
> >>> running locally and
> >>> accepting\n\tconnections on Unix domain socket
> >>> "/tmp/.s.PGSQL.5432"? in /httpd/iliffe/testfcgi.php on
> >>> line 121 ----------------------------
> >
> > This might be a silly question, but is PHP running on the same server
> > as Postgres?
>
> To add to this, previously you mentioned:
>
> "Also, using the on board firewall (firewalld) to provide a secondary
> domain where the actual business processes run. "
>
> What exactly does that mean?
>
There is something rather odd here.
getenforce shows the mode as permissive, which is what I think it is.
BUT, this morning's logwatch report shows:
*** Denials ***
system_u system_u (tcp_socket): 1 times
Unfortunately, it doesn't say WHICH stream socket. I'll check that and see
if I can find the actual socket that got denied, and if it was actually let
through or not.
> > HTH,
> >
> > Joe
From | Date | Subject | |
---|---|---|---|
Next Message | Adrian Klaver | 2017-04-08 13:35:11 | Re: A change in the Debian install |
Previous Message | John Iliffe | 2017-04-08 13:26:42 | Re: Unable to connect to Postgresql |