Thread: php pg_connect fails, pgsql works
Hello All,
I'm using php 5.1.6 on a RHEL 5 system connecting to a postgresql server
version 8.2.3. I think that TCP connections are enabled correctly in
the server's pg_hba.conf and I can successfully connect from the client
using pgsql. However, trying to use pg_connect() w/ a call like:
$con = pg_connect("host='postgres1.ngdc.noaa.gov' port=5432
sslmode='allow' user='test' password='mypassword' dbname='test'")
fails saying:
Unable to connect to PostgreSQL server: could not connect to server:
Permission denied\n\tIs the server running on host
"postgres1.ngdc.noaa.gov" and accepting\n\tTCP/IP connections
on port 5432?
I'm perplexed since I can connect w/ pgsql from the same workstation
using the same database, user, password.
Can anyone help me out here?
Thanks!
-- john
John Cartwright <John.C.Cartwright@noaa.gov> writes:
> I'm using php 5.1.6 on a RHEL 5 system connecting to a postgresql server
> version 8.2.3. I think that TCP connections are enabled correctly in
> the server's pg_hba.conf and I can successfully connect from the client
> using pgsql. However, trying to use pg_connect() w/ a call like:
> $con = pg_connect("host='postgres1.ngdc.noaa.gov' port=5432
> sslmode='allow' user='test' password='mypassword' dbname='test'")
> fails saying:
> Unable to connect to PostgreSQL server: could not connect to server:
> Permission denied
Are you running the php script manually, or is it actually executing
inside a daemon such as Apache? If the latter, I'll bet this is a
SELinux issue --- SELinux is set up to constrain daemons a lot more
tightly than interactive commands, so that they can't easily be used to
break into your system.
I don't know much about how to fix it, other than the extremely
brute-force tool of "setenforce 0". On current Fedora it looks like the
way is probably "setsebool -P allow_user_postgresql_connect 1", but I'm
not sure if RHEL5 uses that approach or something older.
It's also possible that the policy is OK but you have some files
with the wrong security labeling.
regards, tom lane
Thanks for your reply, Tom. Not sure exactly what you mean - this is a
php script executed via apache. php scripts w/in the same directory that
don't make database connections seem to work OK.
Your suggestion is a good one though - it may be an SELinux
configuration. I'll try to pursue that direction.
-- john
Tom Lane wrote:
> John Cartwright <John.C.Cartwright@noaa.gov> writes:
>
>> I'm using php 5.1.6 on a RHEL 5 system connecting to a postgresql server
>> version 8.2.3. I think that TCP connections are enabled correctly in
>> the server's pg_hba.conf and I can successfully connect from the client
>> using pgsql. However, trying to use pg_connect() w/ a call like:
>>
>
>
>> $con = pg_connect("host='postgres1.ngdc.noaa.gov' port=5432
>> sslmode='allow' user='test' password='mypassword' dbname='test'")
>>
>
>
>> fails saying:
>>
>
>
>> Unable to connect to PostgreSQL server: could not connect to server:
>> Permission denied
>>
>
> Are you running the php script manually, or is it actually executing
> inside a daemon such as Apache? If the latter, I'll bet this is a
> SELinux issue --- SELinux is set up to constrain daemons a lot more
> tightly than interactive commands, so that they can't easily be used to
> break into your system.
>
> I don't know much about how to fix it, other than the extremely
> brute-force tool of "setenforce 0". On current Fedora it looks like the
> way is probably "setsebool -P allow_user_postgresql_connect 1", but I'm
> not sure if RHEL5 uses that approach or something older.
>
> It's also possible that the policy is OK but you have some files
> with the wrong security labeling.
>
> regards, tom lane
>
On Mon, 10 Mar 2008, Tom Lane wrote: > I don't know much about how to fix it, other than the extremely > brute-force tool of "setenforce 0". On current Fedora it looks like the > way is probably "setsebool -P allow_user_postgresql_connect 1", but I'm > not sure if RHEL5 uses that approach or something older. I was able to work around a similar issue using Robert's article at http://people.planetpostgresql.org/xzilla/index.php?/archives/310-typically-I-recommend-you-disable-SELinux....html where he suggests that "setsebool -P httpd_can_network_connect_db=1" is the magic incantation for RHEL5. That fixed my problem using PHP there. -- * Greg Smith gsmith@gregsmith.com http://www.gregsmith.com Baltimore, MD
On Mon, Mar 10, 2008 at 1:14 PM, John Cartwright
<John.C.Cartwright@noaa.gov> wrote:
> Hello All,
>
> I'm using php 5.1.6 on a RHEL 5 system connecting to a postgresql server
> version 8.2.3. I think that TCP connections are enabled correctly in
> the server's pg_hba.conf and I can successfully connect from the client
> using pgsql. However, trying to use pg_connect() w/ a call like:
>
> $con = pg_connect("host='postgres1.ngdc.noaa.gov' port=5432
> sslmode='allow' user='test' password='mypassword' dbname='test'")
if you do psql like so, can it connect?
psql -h postgres1.ndgc.noaa.gov -U test test
?
Yes, the command-line client works fine that way.
Turns out the problem was SELinux permissions that had to be
specifically enabled.
Thanks for the suggestions and the help.
-- john
Scott Marlowe wrote:
> On Mon, Mar 10, 2008 at 1:14 PM, John Cartwright
> <John.C.Cartwright@noaa.gov> wrote:
>
>> Hello All,
>>
>> I'm using php 5.1.6 on a RHEL 5 system connecting to a postgresql server
>> version 8.2.3. I think that TCP connections are enabled correctly in
>> the server's pg_hba.conf and I can successfully connect from the client
>> using pgsql. However, trying to use pg_connect() w/ a call like:
>>
>> $con = pg_connect("host='postgres1.ngdc.noaa.gov' port=5432
>> sslmode='allow' user='test' password='mypassword' dbname='test'")
>>
>
> if you do psql like so, can it connect?
>
> psql -h postgres1.ndgc.noaa.gov -U test test
>
> ?
>