On Wed, 2004-11-10 at 11:05, dragoran wrote: > * echo "allow httpd_t var_lib_t:sock_file rw_socket_perms;" > > domains/program/httpd_socket.te Yes, that instruction was incorrect. Two different objects for a Unix domain socket: the file that is used to "name" it, and the socket itself. So you need something like: allow httpd_t var_lib_t:sock_file rw_file_perms; can_unix_send(httpd_t, unconfined_t) can_unix_connect(httpd_t, unconfined_t) The first line allows it to access the file object, while the latter two lines allow the inter-process communication between httpd and the mysqld (which is running unconfined by default in the targeted policy). The obvious problem with this approach is that an exploit of a flaw in your httpd can now reach an unconfined process, possibly subverting it and thus gaining full access to the system. Better to add a separate domain for mysqld. -- Stephen Smalley <sds@xxxxxxxxxxxxxx> National Security Agency
