Re: BUG #11365: denied apache cgi connect

On 09/07/2014 06:22 PM, John R Pierce wrote:
> On 9/7/2014 9:36 AM, Tom Lane wrote:
>> That's not something the PG community can do anything about.  If there's a
>> bug in the SELinux policy for apache, you need to complain to Red Hat to
>> get it fixed.
>>
>> I suspect though that if you dig a little bit, you will find that this
>> case has been foreseen, and there's a SELinux policy boolean that you
>> are supposed to set to allow apache processes to do database access.
>> A quick browse in the output of "semanage boolean -l" suggests that
>> "allow_user_postgresql_connect" might be the right thing, or maybe
>> "httpd_can_network_connect_db" ...
>
> the PGDG packagers probably should include some level of database
> selinux policy settings.  maybe a special RPM that sets the apache
> database policy or something.

"Some special RPM" to do what exactly? Just because someone has
PostgreSQL and Apache installed on their system doesn't mean they wanted
httpd to be able to try to connect to their MySQL server on another
machine in the network. Precisely that is what
httpd_can_network_connect_db would allow (as a side effect).

So please be more precise in what exactly that special RPM should set or
enable.


Regards,
Jan

--
Jan Wieck
Senior Software Engineer
http://slony.info