Re: PHP cannot connect to mysql server

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


dragoran wrote:

Stephen Smalley schrieb:

On Wed, 2004-11-10 at 11:05, dragoran wrote:

* echo "allow httpd_t var_lib_t:sock_file rw_socket_perms;" >

Yes, that instruction was incorrect.  Two different objects for a Unix
domain socket: the file that is used to "name" it, and the socket
itself.  So you need something like:

allow httpd_t var_lib_t:sock_file rw_file_perms;
can_unix_send(httpd_t, unconfined_t)
can_unix_connect(httpd_t, unconfined_t)

The first line allows it to access the file object, while the latter two
lines allow the inter-process communication between httpd and the mysqld
(which is running unconfined by default in the targeted policy).  The
obvious problem with this approach is that an exploit of a flaw in your
httpd can now reach an unconfined process, possibly subverting it and
thus gaining full access to the system.  Better to add a separate domain
for mysqld.

and how can I add a separte doiman for mysqld ? Sorry I am new to selinux....

fedora-selinux-list mailing list

Follow the first part of my orignal reply You can try to use it by doing the following MYSQLD.te is the attached file

  * Install selinux-policy-targeted-sources.
  * yum install selinux-policy-targeted-sources
  * cd /etc/selinux/targeted/src/policy
  * cp MYSQLD.te domains/program/
  * make load
  * rpm -q -l mysql | restorecon -R -f -
  * service mysql restart
#DESC Mysqld - Database server
# Author:  Russell Coker <russell@xxxxxxxxxxxx>
# X-Debian-Packages: mysql-server

# Rules for the mysqld_t domain.
# mysqld_exec_t is the type of the mysqld executable.

type mysqld_port_t, port_type;
allow mysqld_t mysqld_port_t:tcp_socket name_bind;

allow mysqld_t mysqld_var_run_t:sock_file create_file_perms;

typealias mysqld_etc_t alias etc_mysqld_t;
type mysqld_db_t, file_type, sysadmfile;


# for temporary tables

allow mysqld_t usr_t:file { getattr read };

allow mysqld_t self:fifo_file { read write };
allow mysqld_t self:unix_stream_socket create_stream_socket_perms;
allow initrc_t mysqld_t:unix_stream_socket connectto;
allow initrc_t mysqld_var_run_t:sock_file write;

allow initrc_t mysqld_log_t:file { write append setattr ioctl };

allow mysqld_t self:capability { dac_override setgid setuid };
allow mysqld_t self:process getsched;

allow mysqld_t proc_t:file { getattr read };

# Allow access to the mysqld databases
create_dir_file(mysqld_t, mysqld_db_t)
allow mysqld_t var_lib_t:dir { getattr search };


# read config files
r_dir_file(initrc_t, mysqld_etc_t)
allow mysqld_t { etc_t etc_runtime_t }:{ file lnk_file } { read getattr };

allow mysqld_t etc_t:dir search;

allow mysqld_t sysctl_kernel_t:dir search;
allow mysqld_t sysctl_kernel_t:file read;

can_unix_connect(sysadm_t, mysqld_t)

# for /root/.my.cnf - should not be needed
allow mysqld_t sysadm_home_dir_t:dir search;
allow mysqld_t sysadm_home_t:file { read getattr };

ifdef(`logrotate.te', `
r_dir_file(logrotate_t, mysqld_etc_t)
allow logrotate_t mysqld_db_t:dir search;
allow logrotate_t mysqld_var_run_t:dir search;
allow logrotate_t mysqld_var_run_t:sock_file write;
can_unix_connect(logrotate_t, mysqld_t)

ifdef(`user_db_connect', `
allow userdomain mysqld_var_run_t:dir search;
allow userdomain mysqld_var_run_t:sock_file write;

ifdef(`daemontools.te', `
domain_auto_trans( svc_run_t, mysqld_exec_t, mysqld_t)
allow svc_start_t mysqld_t:process signal;
')dnl end ifdef daemontools

ifdef(`distro_redhat', `
allow initrc_t mysqld_db_t:dir create_dir_perms;

# because Fedora has the sock_file in the database directory
file_type_auto_trans(mysqld_t, mysqld_db_t, mysqld_var_run_t, sock_file)

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux