vsftpd using mysql
Maria Iano
maria at iano.org
Tue Feb 10 20:19:06 UTC 2009
On Feb 10, 2009, at 11:12 AM, Daniel J Walsh wrote:
>>>
>>>
>>> Maria Iano wrote:
>>>> My vsftpd server needs to talk to my mysql server, and is being
>>>> denied.
>>>> Before I use audit2allow to make special rules I wanted to ask
>>>> whether
>>>> there is a boolean out there that I am missing. Here is what
>>>> audit2allow
>>>> gives me:
>>>>
>>>> allow ftpd_t mysqld_db_t:dir search;
>>>> allow ftpd_t mysqld_t:unix_stream_socket connectto;
>>>> allow ftpd_t mysqld_var_run_t:sock_file write;
>>>>
>>>> I notice there is a boolean for httpd to talk to mysql, which
>>>> makes me
>>>> think there might be one for vsftpd. Does anyone know if such a one
>>>> exists?
>>>>
>>>> Thanks,
>>>> Maria
>>>>
>>>
>>> Why does ftpd talk to mysqld?
>>
>> To use a database backend for virtual users I'd guess.
>>
>> http://www.niraj.info/vsftpd-mysql
>>
>> Paul.
> Learn something new every day...
>
> Miroslav, can you add the following snippets to F9 and F10 policy.
>
>
> ## <desc>
> ## <p>
> ## Allow ftp servers to use connect to mysql database
> ## </p>
> ## </desc>
> gen_tunable(ftpd_connect_db, false)
>
> ## <desc>
> ## <p>
>
> ....
>
> optional_policy(`
> tunable_policy(`ftpd_connect_db',`
> mysql_stream_connect(ftpd_t)
> ')
> ')
>
Thank you, this will be very helpful!
I am probably revealing my ignorance here, but...
shouldn't a boolean for ftpd_connect_db allow all three of the things
that were denied?:
allow ftpd_t mysqld_db_t:dir search;
allow ftpd_t mysqld_t:unix_stream_socket connectto;
allow ftpd_t mysqld_var_run_t:sock_file write;
Otherwise I also have to turn on either the allow_ftpd_full_access
boolean or the ftp_home_dir boolean, both of which do more than I need
just to talk to mysql.
I'm sure you have a good reason (too much clutter perhaps) but I am
curious.
Thanks,
Maria
More information about the fedora-selinux-list
mailing list