On 4/27/2011 11:42 AM, Thomas Harold wrote:
On 4/27/2011 9:16 AM, Thomas Harold wrote:
- SELinux is running, but there are no denied messages in
/var/log/audit/audit.log and no setroubleshooting alerts in
/var/log/messages either.
Well, interestingly enough it is SELinux getting in the way, but not
logging anything. Temporarily disabling SELinux suddenly makes it work.
# echo 0 > /selinux/enforce
(things now work)
So now I need to figure out why nothing showed up in audit.log.
Turns out that it was a SELinux boolean that had not yet been turned on
(specifically httpd_can_network_connect_db).
# getsebool -a | grep 'http'
allow_httpd_anon_write --> off
allow_httpd_bugzilla_script_anon_write --> off
allow_httpd_cvs_script_anon_write --> off
allow_httpd_mod_auth_pam --> off
allow_httpd_nagios_script_anon_write --> off
allow_httpd_prewikka_script_anon_write --> off
allow_httpd_squid_script_anon_write --> off
allow_httpd_sys_script_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_network_connect --> off
httpd_can_network_connect_db --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> on
httpd_disable_trans --> off
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> on
httpd_read_user_content --> off
httpd_rotatelogs_disable_trans --> off
httpd_setrlimit --> off
httpd_ssi_exec --> off
httpd_suexec_disable_trans --> off
httpd_tty_comm --> on
httpd_unified --> on
httpd_use_cifs --> off
httpd_use_nfs --> off
# setsebool httpd_can_network_connect_db on
(Lesson learned, when all else fails, start checking assumptions...)
--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
