[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Install problem on RHEL 5.1



This is definitely an SELinux issue. I tried permissive mode and the problem instantly disappeared. I got the LedgerSMB Administration login page, and could login normally. I did not have to change any config files. When I switched back to enforcing mode, the problem instantly reappeared.

I don't see how psql does it. With psql, I can log into the database via a socket connection in enforcing mode as well as in permissive mode. No difficulty either way.

I need to figure out how to open this connection in enforcing mode. If anyone knows how to do this, please let me know.

Thanks,

Alan Wolfe


P.S.  Here are some details from my tests:


setenforce = 1 (enforcing mode) - with local psql logged-in connection:
# netstat -an |grep 5432
tcp        0      0 127.0.0.1:5432              0.0.0.0:*                   LISTEN
unix  2      [ ACC ]     STREAM     LISTENING     873661 /tmp/.s.PGSQL.5432
unix  3      [ ]         STREAM     CONNECTED     2226019 /tmp/.s.PGSQL.5432


setenforce = 0 (permissive mode) - with httpd / admin.pl logged-in connection:
# netstat -an |grep 5432
tcp        0      0 127.0.0.1:5432              0.0.0.0:*                   LISTEN
tcp        0      0 127.0.0.1:46589             127.0.0.1:5432              TIME_WAIT
tcp        0      0 127.0.0.1:46590             127.0.0.1:5432              TIME_WAIT
unix  2      [ ACC ]     STREAM     LISTENING     873661 /tmp/.s.PGSQL.5432


 Permissions on socket in /tmp (regardless of psql or httpd connection):

# ls -lZ /tmp/.s.PGSQL.5432* srwxrwxrwx postgres postgres user_u:object_r:postgresql_tmp_t /tmp/.s.PGSQL.5432
-rw-------  postgres postgres user_u:object_r:postgresql_tmp_t /tmp/.s.PGSQL.5432.lock


 Permissions on httpd (can connect via socket only in permissive mode):

# ls -lZ /usr/sbin/httpd
-rwxr-xr-x  root root system_u:object_r:httpd_exec_t   /usr/sbin/httpd


 Permissions on psql (can connect via socket in enforcing mode):

# ls -lZ /usr/bin/psql
-rwxr-xr-x  root root system_u:object_r:bin_t          /usr/bin/psql


These are the general selinux settings in permissive mode:
# setenforce 0
# sestatus -v
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          enforcing
Policy version:                 21
Policy from config file:        targeted

Process contexts:
Current context:                user_u:system_r:unconfined_t
Init context:                   system_u:system_r:init_t
/sbin/mingetty                  system_u:system_r:getty_t
/sbin/agetty                    system_u:system_r:getty_t
/usr/sbin/sshd
system_u:system_r:unconfined_t:SystemLow-SystemHigh

File contexts:
Controlling term:               user_u:object_r:devpts_t
/etc/passwd                     system_u:object_r:etc_t
/etc/shadow                     system_u:object_r:shadow_t
/bin/bash                       system_u:object_r:shell_exec_t
/bin/login                      system_u:object_r:login_exec_t
/bin/sh                         system_u:object_r:bin_t ->
system_u:object_r:shell_exec_t
/sbin/agetty                    system_u:object_r:getty_exec_t
/sbin/init                      system_u:object_r:init_exec_t
/sbin/mingetty                  system_u:object_r:getty_exec_t
/usr/sbin/sshd                  system_u:object_r:sshd_exec_t
/lib/libc.so.6                  system_u:object_r:lib_t ->
system_u:object_r:lib_t
/lib/ld-linux.so.2              system_u:object_r:lib_t ->
system_u:object_r:ld_so_t


And these are the selinux settings in default enforcing mode:
# setenforce 1
# sestatus -v
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 21
Policy from config file:        targeted

Process contexts:
Current context:                user_u:system_r:unconfined_t
Init context:                   system_u:system_r:init_t
/sbin/mingetty                  system_u:system_r:getty_t
/sbin/agetty                    system_u:system_r:getty_t
/usr/sbin/sshd
system_u:system_r:unconfined_t:SystemLow-SystemHigh

File contexts:
Controlling term:               user_u:object_r:devpts_t
/etc/passwd                     system_u:object_r:etc_t
/etc/shadow                     system_u:object_r:shadow_t
/bin/bash                       system_u:object_r:shell_exec_t
/bin/login                      system_u:object_r:login_exec_t
/bin/sh                         system_u:object_r:bin_t ->
system_u:object_r:shell_exec_t
/sbin/agetty                    system_u:object_r:getty_exec_t
/sbin/init                      system_u:object_r:init_exec_t
/sbin/mingetty                  system_u:object_r:getty_exec_t
/usr/sbin/sshd                  system_u:object_r:sshd_exec_t
/lib/libc.so.6                  system_u:object_r:lib_t ->
system_u:object_r:lib_t
/lib/ld-linux.so.2              system_u:object_r:lib_t ->
system_u:object_r:ld_so_t




On Sun, 16 Dec 2007, Chris Travers wrote:

This could be an SELinux issue (try setting to Permissive and see if the
problem goes away) or a file permission issue.   Normally the sockets are
created and accessed in /tmp.

Best Wishes,
Chris Travers