Stephen Smalley schrieb:
On Wed, 2004-11-10 at 11:05, dragoran wrote:
* echo "allow httpd_t var_lib_t:sock_file rw_socket_perms;" >
domains/program/httpd_socket.te
Yes, that instruction was incorrect. Two different objects for a Unix
domain socket: the file that is used to "name" it, and the socket
itself. So you need something like:
allow httpd_t var_lib_t:sock_file rw_file_perms;
can_unix_send(httpd_t, unconfined_t)
can_unix_connect(httpd_t, unconfined_t)
The first line allows it to access the file object, while the latter two
lines allow the inter-process communication between httpd and the mysqld
(which is running unconfined by default in the targeted policy). The
obvious problem with this approach is that an exploit of a flaw in your
httpd can now reach an unconfined process, possibly subverting it and
thus gaining full access to the system. Better to add a separate domain
for mysqld.
and how can I add a separte doiman for mysqld ? Sorry I am new to
selinux....
