-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Paul Howarth wrote: > Daniel J Walsh wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Paul Howarth wrote: >>> Daniel J Walsh wrote: >>>> -----BEGIN PGP SIGNED MESSAGE----- >>>> Hash: SHA1 >>>> >>>> Maria Iano wrote: >>>>> My vsftpd server needs to talk to my mysql server, and is being >>>>> denied. >>>>> Before I use audit2allow to make special rules I wanted to ask whether >>>>> there is a boolean out there that I am missing. Here is what >>>>> audit2allow >>>>> gives me: >>>>> >>>>> allow ftpd_t mysqld_db_t:dir search; >>>>> allow ftpd_t mysqld_t:unix_stream_socket connectto; >>>>> allow ftpd_t mysqld_var_run_t:sock_file write; >>>>> >>>>> I notice there is a boolean for httpd to talk to mysql, which makes me >>>>> think there might be one for vsftpd. Does anyone know if such a one >>>>> exists? >>>>> >>>>> Thanks, >>>>> Maria >>>>> >>>>> -- >>>>> fedora-selinux-list mailing list >>>>> fedora-selinux-list@xxxxxxxxxx >>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >>>> Why does ftpd talk to mysqld? >>> To use a database backend for virtual users I'd guess. >>> >>> http://www.niraj.info/vsftpd-mysql >>> >>> Paul. >> Learn something new every day... >> >> Miroslav, can you add the following snippets to F9 and F10 policy. >> >> >> ## <desc> >> ## <p> >> ## Allow ftp servers to use connect to mysql database >> ## </p> >> ## </desc> >> gen_tunable(ftpd_connect_db, false) >> >> ## <desc> >> ## <p> >> >> .... >> >> optional_policy(` >> tunable_policy(`ftpd_connect_db',` >> mysql_stream_connect(ftpd_t) >> ') >> ') > > It's not just vsftpd that can do this btw - proftpd supports postgresql > and LDAP backends for this purpose. > > Paul. Already can connect to ldap through auth_use_sswitch. optional_policy(` tunable_policy(`ftpd_connect_db',` mysql_stream_connect(ftpd_t) ') ') optional_policy(` tunable_policy(`ftpd_connect_db',` postgresql_stream_connect(ftpd_t) ') ') tunable_policy(`ftpd_connect_db',` corenet_tcp_connect_mysqld_port(ftpd_t) corenet_tcp_connect_postgresql_port(ftpd_t) ') But these others should handle both local and remote databases. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmRtXEACgkQrlYvE4MpobMGkACeKTWJPpNG8cEnf4x/j3x3wc0d U7gAoOuIMrLIC1/FpxwFY0de+EW1SkLZ =KOs4 -----END PGP SIGNATURE----- -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
