Re: BUG #11365: denied apache cgi connect

John R Pierce <pierce@hogranch.com> writes:
> On 9/7/2014 10:02 PM, Jan Wieck wrote:
>> So please be more precise in what exactly that special RPM should set
>> or enable.

> this RPM would be called something like
> postgresqlXY-apache-selinuxpolicy, and if installed, it would add the
> selinux policy that allows apache to connect to postgres version X.Y as
> installed from the same repository.  if uninstalled, it would remove
> that policy.

Hm ... would that not be in direct conflict with existing policy
variables?

I don't actually know a lot about what the standard Red Hat selinux
policy does in this area.  If it were seriously broken, I'd probably
have heard more about it during the years I worked there.  Not that
that's much of an argument, but it's some evidence for "there's no
fire here, only smoke".  Anyway, I remain of the opinion that it'd
be best to press Red Hat's selinux people to fix/clarify/document
their policy's behavior for apache-to-database connections.  Trying
to override the system policy with drive-by updates seems like a recipe
for disaster.

            regards, tom lane