PHP cannot connect to mysql server

Wed Nov 10 16:17:59 UTC 2004

dragoran wrote:

> Daniel J Walsh schrieb:
>
>> dragoran wrote:
>>
>>> I am running FC3 with selinux on targeted policy. When PHP tryies to 
>>> connect to the mysql server i get this messages in dmesg:
>>> sbin/httpd name=mysql.sock dev=hda3 ino=309535 
>>> scontext=user_u:system_r:httpd_t tcontext=user_u:object_r:var_lib_t 
>>> tclass=sock_file
>>> Disabling SELinux for Apache fix this, but I want to run httpd with 
>>> selinux.
>>> So how can i fix this?
>>>
>>> -- 
>>> fedora-selinux-list mailing list
>>> fedora-selinux-list at redhat.com
>>> http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>
>>
>>
>>
>> A couple of things to try.
>>
>> I am thinking of adding mysqld.te file to targeted policy.  (attached)
>>
>> You can try to use it by doing the following
>>
>>    * Install selinux-policy-targeted-sources.
>>    * yum install selinux-policy-targeted-sources
>>    * cd /etc/selinux/targeted/src/policy
>>    * cp MYSQLD.te domains/program/
>>    * make load
>>    * rpm -q -l mysql | restorecon -R -f -
>>    * service mysql restart
>>
>> Or you can just add the ability to write to sock_files in var lib.
>>
>>    * Install selinux-policy-targeted-sources.
>>    * yum install selinux-policy-targeted-sources
>>    * cd /etc/selinux/targeted/src/policy
>>    * echo "allow httpd_t var_lib_t:sock_file rw_socket_perms;" >
>>      domains/program/httpd_socket.te
>>    * make load
>>
>> ------------------------------------------------------------------------
>>
>> #DESC Mysqld - Database server
>> #
>> # Author:  Russell Coker <russell at coker.com.au>
>> # X-Debian-Packages: mysql-server
>> #
>>
>> #################################
>> #
>> # Rules for the mysqld_t domain.
>> #
>> # mysqld_exec_t is the type of the mysqld executable.
>> #
>> daemon_domain(mysqld)
>>
>> type mysqld_port_t, port_type;
>> allow mysqld_t mysqld_port_t:tcp_socket name_bind;
>>
>> allow mysqld_t mysqld_var_run_t:sock_file create_file_perms;
>>
>> etcdir_domain(mysqld)
>> typealias mysqld_etc_t alias etc_mysqld_t;
>> type mysqld_db_t, file_type, sysadmfile;
>>
>> log_domain(mysqld)
>>
>> # for temporary tables
>> tmp_domain(mysqld)
>>
>> allow mysqld_t usr_t:file { getattr read };
>>
>> allow mysqld_t self:fifo_file { read write };
>> allow mysqld_t self:unix_stream_socket create_stream_socket_perms;
>> allow initrc_t mysqld_t:unix_stream_socket connectto;
>> allow initrc_t mysqld_var_run_t:sock_file write;
>>
>> allow initrc_t mysqld_log_t:file { write append setattr ioctl };
>>
>> allow mysqld_t self:capability { dac_override setgid setuid };
>> allow mysqld_t self:process getsched;
>>
>> allow mysqld_t proc_t:file { getattr read };
>>
>> # Allow access to the mysqld databases
>> create_dir_file(mysqld_t, mysqld_db_t)
>> allow mysqld_t var_lib_t:dir { getattr search };
>>
>> can_network(mysqld_t)
>> can_ypbind(mysqld_t)
>>
>> # read config files
>> r_dir_file(initrc_t, mysqld_etc_t)
>> allow mysqld_t { etc_t etc_runtime_t }:{ file lnk_file } { read 
>> getattr };
>>
>> allow mysqld_t etc_t:dir search;
>>
>> allow mysqld_t sysctl_kernel_t:dir search;
>> allow mysqld_t sysctl_kernel_t:file read;
>>
>> can_unix_connect(sysadm_t, mysqld_t)
>>
>> # for /root/.my.cnf - should not be needed
>> allow mysqld_t sysadm_home_dir_t:dir search;
>> allow mysqld_t sysadm_home_t:file { read getattr };
>>
>> ifdef(`logrotate.te', `
>> r_dir_file(logrotate_t, mysqld_etc_t)
>> allow logrotate_t mysqld_db_t:dir search;
>> allow logrotate_t mysqld_var_run_t:dir search;
>> allow logrotate_t mysqld_var_run_t:sock_file write;
>> can_unix_connect(logrotate_t, mysqld_t)
>> ')
>>
>> ifdef(`user_db_connect', `
>> allow userdomain mysqld_var_run_t:dir search;
>> allow userdomain mysqld_var_run_t:sock_file write;
>> ')
>>
>> ifdef(`daemontools.te', `
>> domain_auto_trans( svc_run_t, mysqld_exec_t, mysqld_t)
>> allow svc_start_t mysqld_t:process signal;
>> svc_ipc_domain(mysqld_t)
>> ')dnl end ifdef daemontools
>>
>> ifdef(`distro_redhat', `
>> allow initrc_t mysqld_db_t:dir create_dir_perms;
>>
>> # because Fedora has the sock_file in the database directory
>> file_type_auto_trans(mysqld_t, mysqld_db_t, mysqld_var_run_t, sock_file)
>> ')
>>  
>>
>> ------------------------------------------------------------------------
>>
>> -- 
>> fedora-selinux-list mailing list
>> fedora-selinux-list at redhat.com
>> http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>
> i tried this:
> Or you can just add the ability to write to sock_files in var lib.
>
>   * Install selinux-policy-targeted-sources.
>   * yum install selinux-policy-targeted-sources
>   * cd /etc/selinux/targeted/src/policy
>   * echo "allow httpd_t var_lib_t:sock_file rw_socket_perms;" >
>     domains/program/httpd_socket.te

Sorry make that rw_file_perms;

>   * make load
> but i get this when excuting make load:
> domains/program/httpd_socket.te:2:ERROR 'permission bind is not 
> defined for class sock_file' at token ';' on line 8239:
> allow httpd_t var_lib_t:sock_file  { ioctl read getattr write setattr 
> append bind connect getopt setopt shutdown };
> #line 1 "domains/program/httpd_socket.te"
> domains/program/httpd_socket.te:2:ERROR 'permission connect is not 
> defined for class sock_file' at token ';' on line 8239:
> allow httpd_t var_lib_t:sock_file  { ioctl read getattr write setattr 
> append bind connect getopt setopt shutdown };
> #line 1 "domains/program/httpd_socket.te"
> domains/program/httpd_socket.te:2:ERROR 'permission getopt is not 
> defined for class sock_file' at token ';' on line 8239:
> allow httpd_t var_lib_t:sock_file  { ioctl read getattr write setattr 
> append bind connect getopt setopt shutdown };
> #line 1 "domains/program/httpd_socket.te"
> domains/program/httpd_socket.te:2:ERROR 'permission setopt is not 
> defined for class sock_file' at token ';' on line 8239:
> allow httpd_t var_lib_t:sock_file  { ioctl read getattr write setattr 
> append bind connect getopt setopt shutdown };
> #line 1 "domains/program/httpd_socket.te"
> domains/program/httpd_socket.te:2:ERROR 'permission shutdown is not 
> defined for class sock_file' at token ';' on line 8239:
> allow httpd_t var_lib_t:sock_file  { ioctl read getattr write setattr 
> append bind connect getopt setopt shutdown };
> #line 1 "domains/program/httpd_socket.te"
> security:  3 users, 4 roles, 280 types, 16 bools
> security:  53 classes, 5495 rules
> /usr/bin/checkpolicy:  error(s) encountered while parsing configuration
> make: *** [/etc/selinux/targeted/policy/policy.18] Fehler 1
>
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> http://www.redhat.com/mailman/listinfo/fedora-selinux-list