Thread: PHP and PostgreSQL 9.0, pg_connect fails to connect
I'm having trouble figuring out where this one is going wrong. It's a brand new install of PostgreSQL 9.0 from PGDG on a RHEL5 box, running Apache 2.2 and PHP 5.3 (from IUS). - PostgreSQL 9.0 is running and listening on the localhost. I can run pgAdmin III and connect to it over a SSH port-forward to the loopback. - nmap reports that pgsql is alive and listening on localhost:5432. - I can use the psql command to connect to the localhost and am able to login as the username/password that I'm using in the pg_connect() call. I can connect to the target database. I can create tables in the database/schema using that username (so pgsql roles don't seem to be the issue). - SELinux is running, but there are no denied messages in /var/log/audit/audit.log and no setroubleshooting alerts in /var/log/messages either. - The firewall doesn't seem to be the issue (due to the nmap query). - I've tried forcing IPv4 by specifying the database server as 127.0.0.1 instead of localhost. - No errors in the Apache logs either. - The server came with PHP 5.1.6 and I've tried out an early version of PHP 5.3, then upgraded to 5.3.6. All I'm getting back from pg_connect() is "Connect: failed to connect to database.". Is there a specific minimum version of the php-pgsql add-on that is needed in order to talk to a pgsql 9.0 database? Am I going to need to compile PHP from source (using the pgsql 9.0 developer packages)?
On 4/27/2011 9:16 AM, Thomas Harold wrote: > - SELinux is running, but there are no denied messages in > /var/log/audit/audit.log and no setroubleshooting alerts in > /var/log/messages either. > Well, interestingly enough it is SELinux getting in the way, but not logging anything. Temporarily disabling SELinux suddenly makes it work. # echo 0 > /selinux/enforce (things now work) So now I need to figure out why nothing showed up in audit.log.
On Wed, 27 Apr 2011, Thomas Harold wrote: > Well, interestingly enough it is SELinux getting in the way, but not > logging anything. Temporarily disabling SELinux suddenly makes it work. This is interesting. I don't run SElinux on my Slackware systems, but a PHP application (CMS Made Simple) fails to load since I upgraded to postgres-9.0.x from -8.4. I'm not a PHP coder and I'm having a terrible time trying to figure out what broke. It is something related to the ADOdb layer trying to connect PHP to postgres. When I try to invoke the application I see a '404 Not Found' error. I'm trying to trace this with xdebug but any help from this list would be very much appreciated. Rich
On 4/27/2011 11:42 AM, Thomas Harold wrote: > On 4/27/2011 9:16 AM, Thomas Harold wrote: >> - SELinux is running, but there are no denied messages in >> /var/log/audit/audit.log and no setroubleshooting alerts in >> /var/log/messages either. >> > > Well, interestingly enough it is SELinux getting in the way, but not > logging anything. Temporarily disabling SELinux suddenly makes it work. > > # echo 0 > /selinux/enforce > (things now work) > > So now I need to figure out why nothing showed up in audit.log. > Turns out that it was a SELinux boolean that had not yet been turned on (specifically httpd_can_network_connect_db). # getsebool -a | grep 'http' allow_httpd_anon_write --> off allow_httpd_bugzilla_script_anon_write --> off allow_httpd_cvs_script_anon_write --> off allow_httpd_mod_auth_pam --> off allow_httpd_nagios_script_anon_write --> off allow_httpd_prewikka_script_anon_write --> off allow_httpd_squid_script_anon_write --> off allow_httpd_sys_script_anon_write --> off httpd_builtin_scripting --> on httpd_can_network_connect --> off httpd_can_network_connect_db --> off httpd_can_network_relay --> off httpd_can_sendmail --> on httpd_disable_trans --> off httpd_enable_cgi --> on httpd_enable_ftp_server --> off httpd_enable_homedirs --> on httpd_read_user_content --> off httpd_rotatelogs_disable_trans --> off httpd_setrlimit --> off httpd_ssi_exec --> off httpd_suexec_disable_trans --> off httpd_tty_comm --> on httpd_unified --> on httpd_use_cifs --> off httpd_use_nfs --> off # setsebool httpd_can_network_connect_db on (Lesson learned, when all else fails, start checking assumptions...)
On Wed, Apr 27, 2011 at 10:42 AM, Thomas Harold <thomas-lists@nybeta.com> wrote:
On 4/27/2011 9:16 AM, Thomas Harold wrote:Well, interestingly enough it is SELinux getting in the way, but not logging anything. Temporarily disabling SELinux suddenly makes it work.- SELinux is running, but there are no denied messages in
/var/log/audit/audit.log and no setroubleshooting alerts in
/var/log/messages either.
# echo 0 > /selinux/enforce
(things now work)
This does not surprise me, I've been upgrading a server to Fedora 14 and fighting SELInux every inch of the way. Setting up PostgreSQL on that box is coming up on the schedule, maybe forewarned is forearmed. :-)
--
Mike Nolan
On 4/27/2011 12:24 PM, Michael Nolan wrote: > > > On Wed, Apr 27, 2011 at 10:42 AM, Thomas Harold <thomas-lists@nybeta.com > <mailto:thomas-lists@nybeta.com>> wrote: > > On 4/27/2011 9:16 AM, Thomas Harold wrote: > > - SELinux is running, but there are no denied messages in > /var/log/audit/audit.log and no setroubleshooting alerts in > /var/log/messages either. > > > Well, interestingly enough it is SELinux getting in the way, but not > logging anything. Temporarily disabling SELinux suddenly makes it work. > > # echo 0 > /selinux/enforce > (things now work) > > > This does not surprise me, I've been upgrading a server to Fedora 14 and > fighting SELInux every inch of the way. Setting up PostgreSQL on that > box is coming up on the schedule, maybe forewarned is forearmed. :-) I've been using SELinux since '07, it still surprises me sometimes. Most issues come from mislabeled files (which gets fixed with "semanage fcontext" and "restorecon") and the targeted policies in RHEL5 are pretty bug-free after this many years. Of course, I just submitted a bug report against the SELinux policy for vsftpd this past month, so it's not perfect yet. In this case it took a full day for the lightbulb to go on and a few lucky searches later I found / remembered the booleans. The only thing that perplexes me at the moment is why SELinux is not logging an AVC denial in the audit.log file for that particular issue. I've seen it log AVC denials for mislabeled files, so the system is not 100% broken, it just was failing in this particular case. (As a follow up note: In order to make a boolean change permanent, I had to add the "-P" option to "setsebool". Things stopped working again after I restarted the server until I flipped the boolean again. # setsebool -P httpd_can_network_connect_db on Happily, everything now seems to be working with the PHP software package that I was configuring.)