CentOS5.4でSELinux有効時にPHPでPostgresに接続できなかった
タイトルどおりなんだけど。
CLIではちゃんと接続できるのに何でだろうなーっていろいろ調べたら、どうやらSELinuxによるアクセス制限が原因だったらしい。「じゃあ対処方法は?」って調べるとみんな「SELinuxを無効にすれば良いよ!」って。すなわち
/usr/sbin/setenforce 0
ってやれと。
冗談じゃない。何でセキュリティレベル下げなきゃならんのよ。絶対回避策があるはずだ!と思って調べたらやっぱりありましたよ〜
# /usr/sbin/getsebool httpd_can_network_connect_db httpd_can_network_connect_db --> off # /usr/sbin/setsebool httpd_can_network_connect_db on # /usr/sbin/getsebool httpd_can_network_connect_db httpd_can_network_connect_db --> on
これで再度PHP側の動作確認。いけるじゃーん☆
しかしこのままでは再起動時にせっかく許可したアクセスがまた元に戻っちゃうので、恒久設定にしてやる。
# /usr/sbin/setsebool -P httpd_can_network_connect_db on
しかしSELinuxのおかげではまること多いよね。わかりやすいドキュメントとか探しとこう
参考までに、2010/3/11現在の自分のCentOS5.4でのbool値の一覧をつけておく。パッケージ追加したりしたら変わるのかな〜?
# getsebool -a NetworkManager_disable_trans --> off allow_console_login --> off allow_cvs_read_shadow --> off allow_daemons_dump_core --> on allow_daemons_use_tty --> on allow_domain_fd_use --> on allow_execheap --> off allow_execmem --> on allow_execmod --> off allow_execstack --> on allow_ftpd_anon_write --> off allow_ftpd_full_access --> off allow_ftpd_use_cifs --> off allow_ftpd_use_nfs --> off allow_gpg_execstack --> off allow_gssd_read_tmp --> on allow_httpd_anon_write --> off allow_httpd_bugzilla_script_anon_write --> off allow_httpd_cvs_script_anon_write --> off allow_httpd_mod_auth_pam --> off allow_httpd_nagios_script_anon_write --> off allow_httpd_prewikka_script_anon_write --> off allow_httpd_squid_script_anon_write --> off allow_httpd_sys_script_anon_write --> off allow_java_execstack --> off allow_kerberos --> on allow_mount_anyfile --> off allow_mounton_anydir --> on allow_mplayer_execstack --> off allow_nfsd_anon_write --> off allow_polyinstantiation --> off allow_postfix_local_write_mail_spool --> off allow_ptrace --> off allow_rsync_anon_write --> off allow_saslauthd_read_shadow --> off allow_smbd_anon_write --> off allow_ssh_keysign --> off allow_tftp_anon_write --> off allow_unconfined_execmem_dyntrans --> off allow_unconfined_mmap_low --> on allow_unlabeled_packets --> on allow_user_mysql_connect --> off allow_write_xshm --> off allow_ypbind --> off allow_zebra_write_config --> on amanda_disable_trans --> off amavis_disable_trans --> off apmd_disable_trans --> off arpwatch_disable_trans --> off auditd_disable_trans --> off automount_disable_trans --> off avahi_disable_trans --> off bluetooth_disable_trans --> off canna_disable_trans --> off cardmgr_disable_trans --> off ccs_disable_trans --> off cdrecord_read_content --> off clamd_disable_trans --> off clamscan_disable_trans --> off clvmd_disable_trans --> off comsat_disable_trans --> off cron_can_relabel --> off crond_disable_trans --> off cupsd_config_disable_trans --> off cupsd_disable_trans --> off cupsd_lpd_disable_trans --> off cvs_disable_trans --> off cyrus_disable_trans --> off dbskkd_disable_trans --> off dccd_disable_trans --> off dccifd_disable_trans --> off dccm_disable_trans --> off dhcpc_disable_trans --> off dhcpd_disable_trans --> off disable_evolution_trans --> off disable_games_trans --> off disable_mozilla_trans --> off disable_thunderbird_trans --> off dnsmasq_disable_trans --> off dovecot_disable_trans --> off fcron_crond --> off fetchmail_disable_trans --> off fingerd_disable_trans --> off freshclam_disable_trans --> off fsdaemon_disable_trans --> off ftp_home_dir --> off ftpd_connect_db --> off ftpd_disable_trans --> off ftpd_is_daemon --> on global_ssp --> off gpm_disable_trans --> off gssd_disable_trans --> off hald_disable_trans --> off hotplug_disable_trans --> off howl_disable_trans --> off hplip_disable_trans --> off httpd_builtin_scripting --> on httpd_can_network_connect --> off httpd_can_network_connect_db --> on httpd_can_network_relay --> off httpd_can_sendmail --> on httpd_disable_trans --> off httpd_enable_cgi --> on httpd_enable_ftp_server --> off httpd_enable_homedirs --> on httpd_rotatelogs_disable_trans --> off httpd_ssi_exec --> off httpd_suexec_disable_trans --> off httpd_tty_comm --> on httpd_unified --> on httpd_use_cifs --> off httpd_use_nfs --> off inetd_child_disable_trans --> off inetd_disable_trans --> off innd_disable_trans --> off ipsec_disable_trans --> off irqbalance_disable_trans --> off iscsid_disable_trans --> off kadmind_disable_trans --> off klogd_disable_trans --> off kpropd_disable_trans --> off krb5kdc_disable_trans --> off ktalkd_disable_trans --> off lpd_disable_trans --> off mail_read_content --> off mailman_mail_disable_trans --> off mdadm_disable_trans --> off mozilla_read_content --> off mysqld_disable_trans --> off nagios_disable_trans --> off named_disable_trans --> off named_write_master_zones --> off nfs_export_all_ro --> on nfs_export_all_rw --> on nfsd_disable_trans --> off nmbd_disable_trans --> off nrpe_disable_trans --> off nscd_disable_trans --> off ntpd_disable_trans --> off oddjob_disable_trans --> off oddjob_mkhomedir_disable_trans --> off openvpn_disable_trans --> off openvpn_enable_homedirs --> off pcscd_disable_trans --> off pegasus_disable_trans --> off portmap_disable_trans --> off postfix_disable_trans --> off postgresql_disable_trans --> off postgrey_disable_trans --> off pppd_can_insmod --> off pppd_disable_trans --> off pppd_for_user --> off pptp_disable_trans --> off prelude_audisp_disable_trans --> off prelude_disable_trans --> off prelude_lml_disable_trans --> off privoxy_connect_any --> off privoxy_disable_trans --> off ptal_disable_trans --> off pyzord_disable_trans --> off qemu_full_network --> on qemu_use_cifs --> on qemu_use_comm --> off qemu_use_nfs --> on qemu_use_usb --> on racoon_disable_trans --> off racoon_read_shadow --> off radiusd_disable_trans --> off radvd_disable_trans --> off rdisc_disable_trans --> off read_default_t --> on read_untrusted_content --> off readahead_disable_trans --> off regex_milter_disable_trans --> off restorecond_disable_trans --> off rhgb_disable_trans --> off ricci_disable_trans --> off ricci_modclusterd_disable_trans --> off rlogind_disable_trans --> off rpcd_disable_trans --> off rshd_disable_trans --> off rsync_client --> off rsync_disable_trans --> off rsync_export_all_ro --> off run_ssh_inetd --> off samba_domain_controller --> off samba_enable_home_dirs --> off samba_export_all_ro --> off samba_export_all_rw --> off samba_share_fusefs --> off samba_share_nfs --> off saslauthd_disable_trans --> off secure_mode_insmod --> off secure_mode_policyload --> off setrans_disable_trans --> off setroubleshootd_disable_trans --> off slapd_disable_trans --> off smbd_disable_trans --> off snmpd_disable_trans --> off spamass_milter_disable_trans --> off spamassassin_can_network --> off spamd_disable_trans --> off spamd_enable_home_dirs --> on squid_connect_any --> off squid_disable_trans --> off ssh_sysadm_login --> off staff_read_sysadm_file --> off stunnel_disable_trans --> off stunnel_is_daemon --> off swat_disable_trans --> off syslogd_disable_trans --> off tcpd_disable_trans --> off telnetd_disable_trans --> off tftpd_disable_trans --> off tzdata_disable_trans --> off udev_disable_trans --> off use_lpd_server --> off use_nfs_home_dirs --> off use_samba_home_dirs --> off user_direct_mouse --> off user_dmesg --> off user_net_control --> off user_ping --> on user_rw_noexattrfile --> off user_tcp_server --> off user_ttyfile_stat --> off uucpd_disable_trans --> off virt_manage_sysfs --> off virt_use_comm --> off virt_use_nfs --> off virt_use_samba --> off virtd_disable_trans --> off winbind_disable_trans --> off write_untrusted_content --> off xdm_disable_trans --> off xdm_sysadm_login --> off xend_disable_trans --> off xfs_disable_trans --> off xm_disable_trans --> off ypbind_disable_trans --> off yppasswdd_disable_trans --> off ypserv_disable_trans --> off ypxfr_disable_trans --> off zebra_disable_trans --> off