RHEL SELinux blocking Apache access to PostgreSQL

I'm running a Django app that uses PostgreSQL. The server is running RHEL 6.5 with SELinux. I'm having an issue where the Django app can't connect to the DB, and I think it's because SELinux is blocking it. Here's the error I'm seeing in Django:

could not connect to server: Permission denied Is the server running locally and accepting connections on Unix domain socket "/tmp/.s.PGSQL.5432"?

How can I fix this? I came across this post, but I'm not sure how to apply the solution (chcon -t postgresql_exec_t /path/to/pgbouncer) to my problem.

Thanks!

[edit]
Here's what /var/log/audit/audit.log looks like when I try to access the site:

type=AVC msg=audit(1396289984.549:9245): avc:  denied  { write } for  pid=16975 comm="httpd" name=".s.PGSQL.5432" dev=sda1 ino=2359354 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=sock_file
type=SYSCALL msg=audit(1396289984.549:9245): arch=c000003e syscall=42 success=no exit=-13 a0=10 a1=7fe625273aa0 a2=6e a3=0 items=0 ppid=16943 pid=16975 auid=22383 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1213 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1396289984.756:9246): avc:  denied  { write } for  pid=16975 comm="httpd" name=".s.PGSQL.5432" dev=sda1 ino=2359354 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=sock_file
type=SYSCALL msg=audit(1396289984.756:9246): arch=c000003e syscall=42 success=no exit=-13 a0=10 a1=7fe624d87890 a2=6e a3=0 items=0 ppid=16943 pid=16975 auid=22383 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1213 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1396289984.757:9247): avc:  denied  { write } for  pid=16975 comm="httpd" name=".s.PGSQL.5432" dev=sda1 ino=2359354 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=sock_file
type=SYSCALL msg=audit(1396289984.757:9247): arch=c000003e syscall=42 success=no exit=-13 a0=10 a1=7fe625342c20 a2=6e a3=0 items=0 ppid=16943 pid=16975 auid=22383 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1213 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1396289984.758:9248): avc:  denied  { write } for  pid=16975 comm="httpd" name=".s.PGSQL.5432" dev=sda1 ino=2359354 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=sock_file
type=SYSCALL msg=audit(1396289984.758:9248): arch=c000003e syscall=42 success=no exit=-13 a0=10 a1=7fe625603ac0 a2=6e a3=0 items=0 ppid=16943 pid=16975 auid=22383 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1213 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

[edit2]

Here are some relevant SELinux options that I've enabled.

-bash-4.1$ sudo getsebool -a | grep httpd_can_network_connect_db httpd_can_network_connect_db --> on -bash-4.1$ sudo getsebool -a | grep allow_user_postgresql_connect allow_user_postgresql_connect --> on


Solution 1:

For future readers, for me, just setting the bool to allow httpd to make DB connections was sufficient; i.e.:

setsebool -P httpd_can_network_connect_db 1

You can check/verify that the setting is set by:

getsebool httpd_can_network_connect_db

which should return '... => on'

After that, if you tail -f /var/log/audit/audit.log and re-attempt your operation, it should work.

Solution 2:

Ok, with the help of a sysadmin here, the problem is now fixed. As it turns out, the SELinux context assigned to the binaries in /usr/pgsql-9.3/bin was wrong. All it took to fix this was chcon -t postgresql_exec_t /usr/pgsql-9.3/bin. To change the context on symbolic links, just add -h.