On Tue, 10 Feb 2009 15:19:06 -0500 Maria Iano <maria@xxxxxxxx> wrote: > > On Feb 10, 2009, at 11:12 AM, Daniel J Walsh wrote: > >>> > >>> > >>> Maria Iano wrote: > >>>> My vsftpd server needs to talk to my mysql server, and is being > >>>> denied. > >>>> Before I use audit2allow to make special rules I wanted to ask > >>>> whether > >>>> there is a boolean out there that I am missing. Here is what > >>>> audit2allow > >>>> gives me: > >>>> > >>>> allow ftpd_t mysqld_db_t:dir search; > >>>> allow ftpd_t mysqld_t:unix_stream_socket connectto; > >>>> allow ftpd_t mysqld_var_run_t:sock_file write; > >>>> > >>>> I notice there is a boolean for httpd to talk to mysql, which > >>>> makes me > >>>> think there might be one for vsftpd. Does anyone know if such a > >>>> one exists? > >>>> > >>>> Thanks, > >>>> Maria > >>>> > >>> > >>> Why does ftpd talk to mysqld? > >> > >> To use a database backend for virtual users I'd guess. > >> > >> http://www.niraj.info/vsftpd-mysql > >> > >> Paul. > > Learn something new every day... > > > > Miroslav, can you add the following snippets to F9 and F10 policy. > > > > > > ## <desc> > > ## <p> > > ## Allow ftp servers to use connect to mysql database > > ## </p> > > ## </desc> > > gen_tunable(ftpd_connect_db, false) > > > > ## <desc> > > ## <p> > > > > .... > > > > optional_policy(` > > tunable_policy(`ftpd_connect_db',` > > mysql_stream_connect(ftpd_t) > > ') > > ') > > > > Thank you, this will be very helpful! > > I am probably revealing my ignorance here, but... > > shouldn't a boolean for ftpd_connect_db allow all three of the > things that were denied?: > > allow ftpd_t mysqld_db_t:dir search; > allow ftpd_t mysqld_t:unix_stream_socket connectto; > allow ftpd_t mysqld_var_run_t:sock_file write; > > Otherwise I also have to turn on either the allow_ftpd_full_access > boolean or the ftp_home_dir boolean, both of which do more than I > need just to talk to mysql. > > I'm sure you have a good reason (too much clutter perhaps) but I am > curious. mysql_stream_connect(ftpd_t) expands to the following rules: allow ftpd_t mysqld_var_run_t:dir { getattr search }; allow ftpd_t mysqld_var_run_t:sock_file { getattr write }; allow ftpd_t mysqld_t:unix_stream_socket connectto; allow ftpd_t mysqld_db_t:dir { getattr search }; allow ftpd_t mysqld_var_run_t:sock_file { getattr write }; allow ftpd_t mysqld_t:unix_stream_socket connectto; So it does what you need, and very little more. It's such a common idiom that macros are used to simplify the rules. Paul. -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
