Bug 164867

Summary: SELinux policy prevents making connection to external mysql servers
Product: [Fedora] Fedora Reporter: Ian Neubert <ian>
Component: phpAssignee: Joe Orton <jorton>
Status: CLOSED NOTABUG QA Contact: David Lawrence <dkl>
Severity: low Docs Contact:
Priority: medium    
Version: 4Keywords: SELinux
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-08-02 07:58:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ian Neubert 2005-08-02 01:56:41 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.7.8) Gecko/20050516 Firefox/1.0.4

Description of problem:
The SELinux policies set by default with php-mysql-5.0.4-10.3 and httpd-2.0.54-10 prevent the mysql_connect() function from connecting to MySQL servers external to the local machine. They may also prevent connecting to local MySQL servers, but I did not test that personally.

For a related issue see:
http://forums.fedoraforum.org/forum/showthread.php?t=65245

Having some more info on how to fix this would be great, or just enable it by default would be best (at least for me :)

Version-Release number of selected component (if applicable):
php-mysql-5.0.4-10.3

How reproducible:
Always

Steps to Reproduce:
1. yum install php-mysql
2. Create a php script that calls a remote mysql server with mysql_connect()
3. Run the script, php will not be able to connect to MySQL
  

Actual Results:  /var/log/audit/audit.log

type=AVC msg=audit(1122944817.122:710173): avc:  denied  { name_connect } for  pid=3146 comm="httpd" dest=3306 scontext=root:system_r:httpd_t tcontext=system_u:object_r:mysqld_port_t tclass=tcp_socket
type=SYSCALL msg=audit(1122944817.122:710173): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf7ffb60 a2=35c43b0 a3=2 items=0 pid=3146 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 comm="httpd" exe="/usr/sbin/httpd"
type=SOCKADDR msg=audit(1122944817.122:710173): saddr=02000CEA4519E8770000000000000000
type=SOCKETCALL msg=audit(1122944817.122:710173): nargs=3 a0=d a1=bf800d44 a2=10

Expected Results:  This should have worked correctly.

Additional info:

To make it work I added the SELinux policy in /etc/selinux/targeted/src/policy/domains/misc/local.te like so:

allow httpd_t mysqld_port_t:tcp_socket { name_connect };
Comment 1 Joe Orton 2005-08-02 07:58:05 UTC 
This is due to the SELinux policy, which prevents httpd processes from
making outgoing network connections by default.  The
httpd_can_network_connect boolean can be used to change this
behaviour; to allow connections:

  setsebool httpd_can_network_connect=1

passing the -P argument to set the boolean permanently (across
reboots).

For further information on SELinux/Apache integration in Fedora Core,
please see: http://fedora.redhat.com/docs/selinux-apache-fc3/

For general information on SELinux in Fedora Core, please see:
http://fedora.redhat.com/docs/selinux-faq-fc3/