Daniel J Walsh schrieb:
dragoran wrote:
I am running FC3 with selinux on targeted policy. When PHP tryies to connect to the mysql server i get this messages in dmesg:
sbin/httpd name=mysql.sock dev=hda3 ino=309535 scontext=user_u:system_r:httpd_t tcontext=user_u:object_r:var_lib_t tclass=sock_file
Disabling SELinux for Apache fix this, but I want to run httpd with selinux.
So how can i fix this?
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-selinux-list
A couple of things to try.
I am thinking of adding mysqld.te file to targeted policy. (attached)
You can try to use it by doing the following
* Install selinux-policy-targeted-sources. * yum install selinux-policy-targeted-sources * cd /etc/selinux/targeted/src/policy * cp MYSQLD.te domains/program/ * make load * rpm -q -l mysql | restorecon -R -f - * service mysql restart
Or you can just add the ability to write to sock_files in var lib.
* Install selinux-policy-targeted-sources. * yum install selinux-policy-targeted-sources * cd /etc/selinux/targeted/src/policy * echo "allow httpd_t var_lib_t:sock_file rw_socket_perms;" > domains/program/httpd_socket.te * make load
------------------------------------------------------------------------
#DESC Mysqld - Database server # # Author: Russell Coker <russell@xxxxxxxxxxxx> # X-Debian-Packages: mysql-server #
################################# # # Rules for the mysqld_t domain. # # mysqld_exec_t is the type of the mysqld executable. # daemon_domain(mysqld)
type mysqld_port_t, port_type; allow mysqld_t mysqld_port_t:tcp_socket name_bind;
allow mysqld_t mysqld_var_run_t:sock_file create_file_perms;
etcdir_domain(mysqld) typealias mysqld_etc_t alias etc_mysqld_t; type mysqld_db_t, file_type, sysadmfile;
log_domain(mysqld)
# for temporary tables tmp_domain(mysqld)
allow mysqld_t usr_t:file { getattr read };
allow mysqld_t self:fifo_file { read write }; allow mysqld_t self:unix_stream_socket create_stream_socket_perms; allow initrc_t mysqld_t:unix_stream_socket connectto; allow initrc_t mysqld_var_run_t:sock_file write;
allow initrc_t mysqld_log_t:file { write append setattr ioctl };
allow mysqld_t self:capability { dac_override setgid setuid }; allow mysqld_t self:process getsched;
allow mysqld_t proc_t:file { getattr read };
# Allow access to the mysqld databases create_dir_file(mysqld_t, mysqld_db_t) allow mysqld_t var_lib_t:dir { getattr search };
can_network(mysqld_t) can_ypbind(mysqld_t)
# read config files r_dir_file(initrc_t, mysqld_etc_t) allow mysqld_t { etc_t etc_runtime_t }:{ file lnk_file } { read getattr };
allow mysqld_t etc_t:dir search;
allow mysqld_t sysctl_kernel_t:dir search; allow mysqld_t sysctl_kernel_t:file read;
can_unix_connect(sysadm_t, mysqld_t)
# for /root/.my.cnf - should not be needed allow mysqld_t sysadm_home_dir_t:dir search; allow mysqld_t sysadm_home_t:file { read getattr };
ifdef(`logrotate.te', ` r_dir_file(logrotate_t, mysqld_etc_t) allow logrotate_t mysqld_db_t:dir search; allow logrotate_t mysqld_var_run_t:dir search; allow logrotate_t mysqld_var_run_t:sock_file write; can_unix_connect(logrotate_t, mysqld_t) ')
ifdef(`user_db_connect', ` allow userdomain mysqld_var_run_t:dir search; allow userdomain mysqld_var_run_t:sock_file write; ')
ifdef(`daemontools.te', ` domain_auto_trans( svc_run_t, mysqld_exec_t, mysqld_t) allow svc_start_t mysqld_t:process signal; svc_ipc_domain(mysqld_t) ')dnl end ifdef daemontools
ifdef(`distro_redhat', ` allow initrc_t mysqld_db_t:dir create_dir_perms;
# because Fedora has the sock_file in the database directory
file_type_auto_trans(mysqld_t, mysqld_db_t, mysqld_var_run_t, sock_file)
')
------------------------------------------------------------------------
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-selinux-list
i tried this: Or you can just add the ability to write to sock_files in var lib.
* Install selinux-policy-targeted-sources.
* yum install selinux-policy-targeted-sources
* cd /etc/selinux/targeted/src/policy
* echo "allow httpd_t var_lib_t:sock_file rw_socket_perms;" >
domains/program/httpd_socket.te
* make load
but i get this when excuting make load:
domains/program/httpd_socket.te:2:ERROR 'permission bind is not defined for class sock_file' at token ';' on line 8239:
allow httpd_t var_lib_t:sock_file { ioctl read getattr write setattr append bind connect getopt setopt shutdown };
#line 1 "domains/program/httpd_socket.te"
domains/program/httpd_socket.te:2:ERROR 'permission connect is not defined for class sock_file' at token ';' on line 8239:
allow httpd_t var_lib_t:sock_file { ioctl read getattr write setattr append bind connect getopt setopt shutdown };
#line 1 "domains/program/httpd_socket.te"
domains/program/httpd_socket.te:2:ERROR 'permission getopt is not defined for class sock_file' at token ';' on line 8239:
allow httpd_t var_lib_t:sock_file { ioctl read getattr write setattr append bind connect getopt setopt shutdown };
#line 1 "domains/program/httpd_socket.te"
domains/program/httpd_socket.te:2:ERROR 'permission setopt is not defined for class sock_file' at token ';' on line 8239:
allow httpd_t var_lib_t:sock_file { ioctl read getattr write setattr append bind connect getopt setopt shutdown };
#line 1 "domains/program/httpd_socket.te"
domains/program/httpd_socket.te:2:ERROR 'permission shutdown is not defined for class sock_file' at token ';' on line 8239:
allow httpd_t var_lib_t:sock_file { ioctl read getattr write setattr append bind connect getopt setopt shutdown };
#line 1 "domains/program/httpd_socket.te"
security: 3 users, 4 roles, 280 types, 16 bools
security: 53 classes, 5495 rules
/usr/bin/checkpolicy: error(s) encountered while parsing configuration
make: *** [/etc/selinux/targeted/policy/policy.18] Fehler 1
