PHP cannot connect to mysql server
Daniel J Walsh
dwalsh at redhat.com
Wed Nov 10 16:30:49 UTC 2004
dragoran wrote:
> Stephen Smalley schrieb:
>
>> On Wed, 2004-11-10 at 11:05, dragoran wrote:
>>
>>
>>> * echo "allow httpd_t var_lib_t:sock_file rw_socket_perms;" >
>>> domains/program/httpd_socket.te
>>>
>>
>>
>> Yes, that instruction was incorrect. Two different objects for a Unix
>> domain socket: the file that is used to "name" it, and the socket
>> itself. So you need something like:
>>
>> allow httpd_t var_lib_t:sock_file rw_file_perms;
>> can_unix_send(httpd_t, unconfined_t)
>> can_unix_connect(httpd_t, unconfined_t)
>>
>> The first line allows it to access the file object, while the latter two
>> lines allow the inter-process communication between httpd and the mysqld
>> (which is running unconfined by default in the targeted policy). The
>> obvious problem with this approach is that an exploit of a flaw in your
>> httpd can now reach an unconfined process, possibly subverting it and
>> thus gaining full access to the system. Better to add a separate domain
>> for mysqld.
>>
>>
>>
> and how can I add a separte doiman for mysqld ? Sorry I am new to
> selinux....
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> http://www.redhat.com/mailman/listinfo/fedora-selinux-list
Follow the first part of my orignal reply
You can try to use it by doing the following
MYSQLD.te is the attached file
* Install selinux-policy-targeted-sources.
* yum install selinux-policy-targeted-sources
* cd /etc/selinux/targeted/src/policy
* cp MYSQLD.te domains/program/
* make load
* rpm -q -l mysql | restorecon -R -f -
* service mysql restart
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: mysqld.te
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20041110/b135f594/attachment.ksh>
More information about the fedora-selinux-list
mailing list