PHP cannot connect to mysql server

Wed Nov 10 16:37:39 UTC 2004

Daniel J Walsh schrieb:

> dragoran wrote:
>
>> Stephen Smalley schrieb:
>>
>>> On Wed, 2004-11-10 at 11:05, dragoran wrote:
>>>  
>>>
>>>>   * echo "allow httpd_t var_lib_t:sock_file rw_socket_perms;" >
>>>>     domains/program/httpd_socket.te
>>>>   
>>>
>>>
>>>
>>> Yes, that instruction was incorrect.  Two different objects for a Unix
>>> domain socket: the file that is used to "name" it, and the socket
>>> itself.  So you need something like:
>>>
>>> allow httpd_t var_lib_t:sock_file rw_file_perms;
>>> can_unix_send(httpd_t, unconfined_t)
>>> can_unix_connect(httpd_t, unconfined_t)
>>>
>>> The first line allows it to access the file object, while the latter 
>>> two
>>> lines allow the inter-process communication between httpd and the 
>>> mysqld
>>> (which is running unconfined by default in the targeted policy).  The
>>> obvious problem with this approach is that an exploit of a flaw in your
>>> httpd can now reach an unconfined process, possibly subverting it and
>>> thus gaining full access to the system.  Better to add a separate 
>>> domain
>>> for mysqld.
>>>
>>>  
>>>
>> and how can I add a separte doiman for mysqld ? Sorry I am new to 
>> selinux....
>>
>> -- 
>> fedora-selinux-list mailing list
>> fedora-selinux-list at redhat.com
>> http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>
> Follow the first part of my orignal reply
> You can try to use it by doing the following
> MYSQLD.te is the attached file
>
>   * Install selinux-policy-targeted-sources.
>   * yum install selinux-policy-targeted-sources
>   * cd /etc/selinux/targeted/src/policy
>   * cp MYSQLD.te domains/program/
>   * make load
>   * rpm -q -l mysql | restorecon -R -f -
>   * service mysql restart
>
>------------------------------------------------------------------------
>
>#DESC Mysqld - Database server
>#
># Author:  Russell Coker <russell at coker.com.au>
># X-Debian-Packages: mysql-server
>#
>
>#################################
>#
># Rules for the mysqld_t domain.
>#
># mysqld_exec_t is the type of the mysqld executable.
>#
>daemon_domain(mysqld)
>
>type mysqld_port_t, port_type;
>allow mysqld_t mysqld_port_t:tcp_socket name_bind;
>
>allow mysqld_t mysqld_var_run_t:sock_file create_file_perms;
>
>etcdir_domain(mysqld)
>typealias mysqld_etc_t alias etc_mysqld_t;
>type mysqld_db_t, file_type, sysadmfile;
>
>log_domain(mysqld)
>
># for temporary tables
>tmp_domain(mysqld)
>
>allow mysqld_t usr_t:file { getattr read };
>
>allow mysqld_t self:fifo_file { read write };
>allow mysqld_t self:unix_stream_socket create_stream_socket_perms;
>allow initrc_t mysqld_t:unix_stream_socket connectto;
>allow initrc_t mysqld_var_run_t:sock_file write;
>
>allow initrc_t mysqld_log_t:file { write append setattr ioctl };
>
>allow mysqld_t self:capability { dac_override setgid setuid };
>allow mysqld_t self:process getsched;
>
>allow mysqld_t proc_t:file { getattr read };
>
># Allow access to the mysqld databases
>create_dir_file(mysqld_t, mysqld_db_t)
>allow mysqld_t var_lib_t:dir { getattr search };
>
>can_network(mysqld_t)
>can_ypbind(mysqld_t)
>
># read config files
>r_dir_file(initrc_t, mysqld_etc_t)
>allow mysqld_t { etc_t etc_runtime_t }:{ file lnk_file } { read getattr };
>
>allow mysqld_t etc_t:dir search;
>
>allow mysqld_t sysctl_kernel_t:dir search;
>allow mysqld_t sysctl_kernel_t:file read;
>
>can_unix_connect(sysadm_t, mysqld_t)
>
># for /root/.my.cnf - should not be needed
>allow mysqld_t sysadm_home_dir_t:dir search;
>allow mysqld_t sysadm_home_t:file { read getattr };
>
>ifdef(`logrotate.te', `
>r_dir_file(logrotate_t, mysqld_etc_t)
>allow logrotate_t mysqld_db_t:dir search;
>allow logrotate_t mysqld_var_run_t:dir search;
>allow logrotate_t mysqld_var_run_t:sock_file write;
>can_unix_connect(logrotate_t, mysqld_t)
>')
>
>ifdef(`user_db_connect', `
>allow userdomain mysqld_var_run_t:dir search;
>allow userdomain mysqld_var_run_t:sock_file write;
>')
>
>ifdef(`daemontools.te', `
>domain_auto_trans( svc_run_t, mysqld_exec_t, mysqld_t)
>allow svc_start_t mysqld_t:process signal;
>svc_ipc_domain(mysqld_t)
>')dnl end ifdef daemontools
>
>ifdef(`distro_redhat', `
>allow initrc_t mysqld_db_t:dir create_dir_perms;
>
># because Fedora has the sock_file in the database directory
>file_type_auto_trans(mysqld_t, mysqld_db_t, mysqld_var_run_t, sock_file)
>')
>  
>
>------------------------------------------------------------------------
>
>--
>fedora-selinux-list mailing list
>fedora-selinux-list at redhat.com
>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
thx it seems to work ;)