vsftpd using mysql

Daniel J Walsh dwalsh at redhat.com
Tue Feb 10 17:12:17 UTC 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Paul Howarth wrote:
> Daniel J Walsh wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Paul Howarth wrote:
>>> Daniel J Walsh wrote:
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>>
>>>> Maria Iano wrote:
>>>>> My vsftpd server needs to talk to my mysql server, and is being
>>>>> denied.
>>>>> Before I use audit2allow to make special rules I wanted to ask whether
>>>>> there is a boolean out there that I am missing. Here is what
>>>>> audit2allow
>>>>> gives me:
>>>>>
>>>>> allow ftpd_t mysqld_db_t:dir search;
>>>>> allow ftpd_t mysqld_t:unix_stream_socket connectto;
>>>>> allow ftpd_t mysqld_var_run_t:sock_file write;
>>>>>
>>>>> I notice there is a boolean for httpd to talk to mysql, which makes me
>>>>> think there might be one for vsftpd. Does anyone know if such a one
>>>>> exists?
>>>>>
>>>>> Thanks,
>>>>> Maria
>>>>>
>>>>> -- 
>>>>> fedora-selinux-list mailing list
>>>>> fedora-selinux-list at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>> Why does ftpd talk to mysqld?
>>> To use a database backend for virtual users I'd guess.
>>>
>>> http://www.niraj.info/vsftpd-mysql
>>>
>>> Paul.
>> Learn something new every day...
>>
>> Miroslav, can you add the following snippets to F9 and F10 policy.
>>
>>
>> ## <desc>
>> ## <p>
>> ## Allow ftp servers to use connect to mysql database
>> ## </p>
>> ## </desc>
>> gen_tunable(ftpd_connect_db, false)
>>
>> ## <desc>
>> ## <p>
>>
>> ....
>>
>> optional_policy(`
>>        tunable_policy(`ftpd_connect_db',`
>>                mysql_stream_connect(ftpd_t)
>>        ')
>> ')
> 
> It's not just vsftpd that can do this btw - proftpd supports postgresql
> and LDAP backends for this purpose.
> 
> Paul.

Already can connect to ldap through auth_use_sswitch.


optional_policy(`
	tunable_policy(`ftpd_connect_db',`
		mysql_stream_connect(ftpd_t)
	')
')

optional_policy(`
	tunable_policy(`ftpd_connect_db',`
		postgresql_stream_connect(ftpd_t)
	')
')

tunable_policy(`ftpd_connect_db',`
	corenet_tcp_connect_mysqld_port(ftpd_t)
	corenet_tcp_connect_postgresql_port(ftpd_t)
')

But these others should handle both local and remote databases.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkmRtXEACgkQrlYvE4MpobMGkACeKTWJPpNG8cEnf4x/j3x3wc0d
U7gAoOuIMrLIC1/FpxwFY0de+EW1SkLZ
=KOs4
-----END PGP SIGNATURE-----

More information about the fedora-selinux-list mailing list