The current postgresql_stream_connect interface doesn't seem to give the right to go through /run/postgresql (system_u:object_r:postgresql_var_run_t), where the socket is. AVC example: Sep 27 21:58:31 *** kernel: [429002.515051] type=1400 audit(1348775911.015:593): avc: denied { search } for pid=26462 comm="php-fpm" name="postgresql" dev="tmpfs" ino=4852 scontext=system_u:system_r:phpfpm_t tcontext=system_u:object_r:postgresql_var_run_t tclass=dir I've fixed this on my server by adding individual rules per domains that need it: allow $1 postgresql_var_run_t:dir search;
Submitted upstream [1], if there's no quick action on it nor specific feedback, I'll apply to our repository and hope it'll get applied later ;) [1] http://oss.tresys.com/pipermail/refpolicy/2012-October/005804.html
Accepted and committed upstream, and our repository is now sync'ed as well. Will also be part of the r6 release
In hardened-dev, r6 release
In main tree, ~arch'ed
r8 is now stable
