On Feb 10, 2009, at 11:12 AM, Daniel J Walsh wrote:
Maria Iano wrote:
My vsftpd server needs to talk to my mysql server, and is being
denied.
Before I use audit2allow to make special rules I wanted to ask
whether
there is a boolean out there that I am missing. Here is what
audit2allow
gives me:
allow ftpd_t mysqld_db_t:dir search;
allow ftpd_t mysqld_t:unix_stream_socket connectto;
allow ftpd_t mysqld_var_run_t:sock_file write;
I notice there is a boolean for httpd to talk to mysql, which
makes me
think there might be one for vsftpd. Does anyone know if such a one
exists?
Thanks,
Maria
Why does ftpd talk to mysqld?
To use a database backend for virtual users I'd guess.
http://www.niraj.info/vsftpd-mysql
Paul.
Learn something new every day...
Miroslav, can you add the following snippets to F9 and F10 policy.
## <desc>
## <p>
## Allow ftp servers to use connect to mysql database
## </p>
## </desc>
gen_tunable(ftpd_connect_db, false)
## <desc>
## <p>
....
optional_policy(`
tunable_policy(`ftpd_connect_db',`
mysql_stream_connect(ftpd_t)
')
')
Thank you, this will be very helpful!
I am probably revealing my ignorance here, but...
shouldn't a boolean for ftpd_connect_db allow all three of the things
that were denied?:
allow ftpd_t mysqld_db_t:dir search;
allow ftpd_t mysqld_t:unix_stream_socket connectto;
allow ftpd_t mysqld_var_run_t:sock_file write;
Otherwise I also have to turn on either the allow_ftpd_full_access
boolean or the ftp_home_dir boolean, both of which do more than I need
just to talk to mysql.
I'm sure you have a good reason (too much clutter perhaps) but I am
curious.
Thanks,
Maria
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
