php+mysql under httpd in fc3

Daniel J Walsh dwalsh at redhat.com
Tue May 24 15:55:31 UTC 2005 

Stanislav Malyshev wrote:

> I run FC3 with targeted policies (default install). I have a problem 
> running connecting to mysql server from php under apache - the problem 
> is that httpd/php is denied write access to mysql.sock, something like 
> this:
>
> fc3 kernel: audit(1116843116.146:0): avc:  denied { write } for 
> pid=7281 exe=/usr/sbin/httpd name=mysql.sock dev=dm-0 ino=375162 
> scontext=root:system_r:httpd_t tcontext=user_u:object_r:var_lib_t 
> tclass=sock_file
>
> Now, I have seen various modifications to policy sources that would 
> allow it to work, but what I am asking is if it possible to do it 
> without rebuilding policy from sources. The reason for this is that we 
> need to make our ptoduce to install mysql & certain modules using it 
> on user servers, and we can not count on policy sources being 
> installed there. Also, the security of mysqld itself does not matter 
> in this particular case and it is OK for us to run it unrestricted 
> (it's separate server for this application only without network 
> connection). The only problem is to allow restricted httpd to connect 
> to that particular Unix socket.
>
> I see that default system sources (apache.te) seem to include various 
> types that seem to allow this, but I have no success in using them. If 
> I try to use mysqld_var_run_t chcon gives me "Invalid argument", same 
> with mysqld_db_t. Also, I see that httpd_php_t has can_unix_connect() 
> rule, while httpd_t does not, however I did not find any documentation 
> on what these types are, what's teh difference and how one can use 
> httpd_php_t. I see httpd is running now under httpd_t according to ps 
> -eZ.
>
> I tries also to set mysql.sock into tmp_t, then write error 
> disappears, and this one appears instead:
>
> fc3 kernel: audit(1116844521.972:0): avc:  denied { connectto } for 
> pid=7275 exe=/usr/sbin/httpd path=/var/lib/mysql/mysql.sock 
> scontext=root:system_r:httpd_t tcontext=user_u:system_r:unconfined_t 
> tclass=unix_stream_socket
>
> I am rather new to all SELinux concepts, so if anyone can give me some 
> explanations about this or point me to some docs that describe these 
> things it will be appreciated.
>
> TIA,

Please update to the latest selinux policy and then restart mysql and 
apache.

Dan

--

More information about the selinux mailing list