php+mysql under httpd in fc3
Daniel J Walsh
dwalsh at redhat.com
Tue May 24 15:55:31 UTC 2005
Stanislav Malyshev wrote:
> I run FC3 with targeted policies (default install). I have a problem
> running connecting to mysql server from php under apache - the problem
> is that httpd/php is denied write access to mysql.sock, something like
> this:
>
> fc3 kernel: audit(1116843116.146:0): avc: denied { write } for
> pid=7281 exe=/usr/sbin/httpd name=mysql.sock dev=dm-0 ino=375162
> scontext=root:system_r:httpd_t tcontext=user_u:object_r:var_lib_t
> tclass=sock_file
>
> Now, I have seen various modifications to policy sources that would
> allow it to work, but what I am asking is if it possible to do it
> without rebuilding policy from sources. The reason for this is that we
> need to make our ptoduce to install mysql & certain modules using it
> on user servers, and we can not count on policy sources being
> installed there. Also, the security of mysqld itself does not matter
> in this particular case and it is OK for us to run it unrestricted
> (it's separate server for this application only without network
> connection). The only problem is to allow restricted httpd to connect
> to that particular Unix socket.
>
> I see that default system sources (apache.te) seem to include various
> types that seem to allow this, but I have no success in using them. If
> I try to use mysqld_var_run_t chcon gives me "Invalid argument", same
> with mysqld_db_t. Also, I see that httpd_php_t has can_unix_connect()
> rule, while httpd_t does not, however I did not find any documentation
> on what these types are, what's teh difference and how one can use
> httpd_php_t. I see httpd is running now under httpd_t according to ps
> -eZ.
>
> I tries also to set mysql.sock into tmp_t, then write error
> disappears, and this one appears instead:
>
> fc3 kernel: audit(1116844521.972:0): avc: denied { connectto } for
> pid=7275 exe=/usr/sbin/httpd path=/var/lib/mysql/mysql.sock
> scontext=root:system_r:httpd_t tcontext=user_u:system_r:unconfined_t
> tclass=unix_stream_socket
>
> I am rather new to all SELinux concepts, so if anyone can give me some
> explanations about this or point me to some docs that describe these
> things it will be appreciated.
>
> TIA,
Please update to the latest selinux policy and then restart mysql and
apache.
Dan
--
More information about the selinux
mailing list