vsftpd using mysql
Paul Howarth
paul at city-fan.org
Tue Feb 10 20:36:34 UTC 2009
On Tue, 10 Feb 2009 15:19:06 -0500
Maria Iano <maria at iano.org> wrote:
>
> On Feb 10, 2009, at 11:12 AM, Daniel J Walsh wrote:
> >>>
> >>>
> >>> Maria Iano wrote:
> >>>> My vsftpd server needs to talk to my mysql server, and is being
> >>>> denied.
> >>>> Before I use audit2allow to make special rules I wanted to ask
> >>>> whether
> >>>> there is a boolean out there that I am missing. Here is what
> >>>> audit2allow
> >>>> gives me:
> >>>>
> >>>> allow ftpd_t mysqld_db_t:dir search;
> >>>> allow ftpd_t mysqld_t:unix_stream_socket connectto;
> >>>> allow ftpd_t mysqld_var_run_t:sock_file write;
> >>>>
> >>>> I notice there is a boolean for httpd to talk to mysql, which
> >>>> makes me
> >>>> think there might be one for vsftpd. Does anyone know if such a
> >>>> one exists?
> >>>>
> >>>> Thanks,
> >>>> Maria
> >>>>
> >>>
> >>> Why does ftpd talk to mysqld?
> >>
> >> To use a database backend for virtual users I'd guess.
> >>
> >> http://www.niraj.info/vsftpd-mysql
> >>
> >> Paul.
> > Learn something new every day...
> >
> > Miroslav, can you add the following snippets to F9 and F10 policy.
> >
> >
> > ## <desc>
> > ## <p>
> > ## Allow ftp servers to use connect to mysql database
> > ## </p>
> > ## </desc>
> > gen_tunable(ftpd_connect_db, false)
> >
> > ## <desc>
> > ## <p>
> >
> > ....
> >
> > optional_policy(`
> > tunable_policy(`ftpd_connect_db',`
> > mysql_stream_connect(ftpd_t)
> > ')
> > ')
> >
>
> Thank you, this will be very helpful!
>
> I am probably revealing my ignorance here, but...
>
> shouldn't a boolean for ftpd_connect_db allow all three of the
> things that were denied?:
>
> allow ftpd_t mysqld_db_t:dir search;
> allow ftpd_t mysqld_t:unix_stream_socket connectto;
> allow ftpd_t mysqld_var_run_t:sock_file write;
>
> Otherwise I also have to turn on either the allow_ftpd_full_access
> boolean or the ftp_home_dir boolean, both of which do more than I
> need just to talk to mysql.
>
> I'm sure you have a good reason (too much clutter perhaps) but I am
> curious.
mysql_stream_connect(ftpd_t) expands to the following rules:
allow ftpd_t mysqld_var_run_t:dir { getattr search };
allow ftpd_t mysqld_var_run_t:sock_file { getattr write };
allow ftpd_t mysqld_t:unix_stream_socket connectto;
allow ftpd_t mysqld_db_t:dir { getattr search };
allow ftpd_t mysqld_var_run_t:sock_file { getattr write };
allow ftpd_t mysqld_t:unix_stream_socket connectto;
So it does what you need, and very little more. It's such a common
idiom that macros are used to simplify the rules.
Paul.
More information about the fedora-selinux-list
mailing list