vsftpd using mysql

Paul Howarth paul at city-fan.org
Tue Feb 10 20:36:34 UTC 2009 

On Tue, 10 Feb 2009 15:19:06 -0500
Maria Iano <maria at iano.org> wrote:

> 
> On Feb 10, 2009, at 11:12 AM, Daniel J Walsh wrote:
> >>>
> >>>
> >>> Maria Iano wrote:
> >>>> My vsftpd server needs to talk to my mysql server, and is being  
> >>>> denied.
> >>>> Before I use audit2allow to make special rules I wanted to ask  
> >>>> whether
> >>>> there is a boolean out there that I am missing. Here is what  
> >>>> audit2allow
> >>>> gives me:
> >>>>
> >>>> allow ftpd_t mysqld_db_t:dir search;
> >>>> allow ftpd_t mysqld_t:unix_stream_socket connectto;
> >>>> allow ftpd_t mysqld_var_run_t:sock_file write;
> >>>>
> >>>> I notice there is a boolean for httpd to talk to mysql, which  
> >>>> makes me
> >>>> think there might be one for vsftpd. Does anyone know if such a
> >>>> one exists?
> >>>>
> >>>> Thanks,
> >>>> Maria
> >>>>
> >>>
> >>> Why does ftpd talk to mysqld?
> >>
> >> To use a database backend for virtual users I'd guess.
> >>
> >> http://www.niraj.info/vsftpd-mysql
> >>
> >> Paul.
> > Learn something new every day...
> >
> > Miroslav, can you add the following snippets to F9 and F10 policy.
> >
> >
> > ## <desc>
> > ## <p>
> > ## Allow ftp servers to use connect to mysql database
> > ## </p>
> > ## </desc>
> > gen_tunable(ftpd_connect_db, false)
> >
> > ## <desc>
> > ## <p>
> >
> > ....
> >
> > optional_policy(`
> >       tunable_policy(`ftpd_connect_db',`
> >               mysql_stream_connect(ftpd_t)
> >       ')
> > ')
> >
> 
> Thank you, this will be very helpful!
> 
> I am probably revealing my ignorance here, but...
> 
> shouldn't a boolean for ftpd_connect_db allow all three of the
> things that were denied?:
> 
>    allow ftpd_t mysqld_db_t:dir search;
>    allow ftpd_t mysqld_t:unix_stream_socket connectto;
>    allow ftpd_t mysqld_var_run_t:sock_file write;
> 
> Otherwise I also have to turn on either the allow_ftpd_full_access  
> boolean or the ftp_home_dir boolean, both of which do more than I
> need just to talk to mysql.
> 
> I'm sure you have a good reason (too much clutter perhaps) but I am  
> curious.

mysql_stream_connect(ftpd_t) expands to the following rules:

        allow ftpd_t mysqld_var_run_t:dir { getattr search };
        allow ftpd_t mysqld_var_run_t:sock_file { getattr write };
        allow ftpd_t mysqld_t:unix_stream_socket connectto;
        allow ftpd_t mysqld_db_t:dir { getattr search };
        allow ftpd_t mysqld_var_run_t:sock_file { getattr write };
        allow ftpd_t mysqld_t:unix_stream_socket connectto;

So it does what you need, and very little more. It's such a common
idiom that macros are used to simplify the rules.

Paul.

More information about the fedora-selinux-list mailing list