On Saturday 08 April 2017 11:20:29 Joe Conway wrote: > On 04/08/2017 06:31 AM, John Iliffe wrote: > > On Saturday 08 April 2017 00:10:14 Adrian Klaver wrote: > >> On 04/07/2017 07:45 PM, Joe Conway wrote: > >> > On 04/07/2017 05:35 PM, Adrian Klaver wrote: > >> >> On 04/07/2017 05:03 PM, John Iliffe wrote: > >> >>>>> Running on Fedora 25 with SELinux in PERMISSIVE mode. The > >> >>>>> audit log shows no hits on Postgresql. > >> >>> > >> >>> My going in position was/still is, that this is a SELinux > >> >>> security problem > >> >>> but I am finding SELinux to be the most opaque and badly > >> >>> documented software > >> >>> that I have ever had to deal with, which is why it is running in > >> >>> permissive > >> >>> mode at the moment. > >> >> > >> >> Well what I know about SELinux would fit in the navel of a > >> >> flea(tip of the hat to David Niven), so I can not be of much help > >> >> there. The reason I am returned this thread to the list, there > >> >> are folks that do understand it. > >> > > >> > If SELinux is running in permissive I don't see how it could be at > >> > fault for your issue. Did you verify that (getenforce)? > >> > > >> >>> -------------------------- > >> >>> [Fri Apr 07 17:03:28.597101 2017] [php7:warn] [pid 1797:tid > >> >>> 140599445419776] [client 192.168.1.10:45127] PHP Warning: > >> >>> pg_connect(): Unable to connect to PostgreSQL server: could not > >> >>> connect to server: No such file or directory\n\tIs the server > >> >>> running locally and > >> >>> accepting\n\tconnections on Unix domain socket > >> >>> "/tmp/.s.PGSQL.5432"? in /httpd/iliffe/testfcgi.php on > >> >>> line 121 ---------------------------- > >> > > >> > This might be a silly question, but is PHP running on the same > >> > server as Postgres? > >> > >> To add to this, previously you mentioned: > >> > >> "Also, using the on board firewall (firewalld) to provide a secondary > >> domain where the actual business processes run. " > >> > >> What exactly does that mean? > > > > There is something rather odd here. > > > > getenforce shows the mode as permissive, which is what I think it is. > > If getenforce shows you are in permissive, then selinux is not your > problem, full stop. > > > BUT, this morning's logwatch report shows: > > *** Denials *** > > > > system_u system_u (tcp_socket): 1 times > > selinux will continue to log denials in permissive -- this is useful to > determine what would have been blocked by selinux had it been in > enforcing, which in turn gives you a chance to fix those issues before > turning on enforcing. > > For more detail on the selinux logs look in /var/log/audit/audit.log > > You definitely have something odd going on though. As you said > elsewhere, using a Unix domain socket connection the firewall should > not get involved either. > > Seems like the issue is related to PHP somehow. For example, see: > http://serverfault.com/questions/641329/cannot-connect-to-postgresql-uni > x-domain-socket In a way, probably yes, but I still can't figure it out. The systemctl unit file DOES have the line PrivateTmp=true and changing it to 'false' didn't accomplish anything.
So I did the whole routine, created the /var/pgsql directory, changed the postgresql.conf Unix domain socket line to create two sockets, restarted and checked that both sockets do exist (yes) and then retried the connection. Even stopped and restarted Apache in case something there was required but still no luck. I checked in the PHP directories and there doesn't seem to be any config file that applies to mod_php and in the php-fpm config file there is no reference to postgres. That suggests to me that there is no way to point the connection request to the new socket file location. So, any ideas as to where to go next? FYI, psql still works OK. And, thanks again for your patience! John > > Joe -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
