Bug 182346

Summary: selinux stops httpd from accessing external databases
Product: [Fedora] Fedora Reporter: Nathaniel McCallum <npmccallum>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: rawhide   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 2.2.19-2 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-05-05 14:54:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Nathaniel McCallum 2006-02-21 22:34:26 UTC 
Description of problem:
If you load a program like drupal, joomla, wordpress etc and set them to use a
database server that is outside of the current httpd server (ie. on a different
ip address), selinux denies access.

Steps to Reproduce:
1. Setup a database server (192.168.1.1)
2. Setup a web server (192.168.1.2)
3. Setup wordpress, configured to use the database server
4. Try to log onto wordpress
  
Actual results:
"Cannot establish connection with database."

Expected results:
Works.

Additional info:
A workaround is to disable selinux.  However, this is (obviously) not desireable.

From the logs:
type=AVC msg=audit(1140484860.955:12): avc:  denied  { name_connect } for 
pid=808 comm="httpd" dest=3306 scontext=root:system_r:httpd_t:s0
tcontext=system_u:object_r:mysqld_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1140484860.955:12): arch=40000003 syscall=102 success=no
exit=-115 a0=3 a1=bfef4c30 a2=16bc0a0 a3=2 items=0 pid=808 auid=0 uid=48 gid=48
euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 comm="httpd" exe="/usr/sbin/httpd"
type=SOCKADDR msg=audit(1140484860.955:12): saddr=02000CEA40BFB45D0000000000000000
type=SOCKETCALL msg=audit(1140484860.955:12): nargs=3 a0=d a1=bfef5638 a2=10
type=AVC msg=audit(1140484904.278:13): avc:  denied  { entrypoint } for  pid=820
comm="httpd" name="bash" dev=xvda1 ino=10780706
scontext=root:system_r:httpd_sys_script_t:s0
tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
type=AVC msg=audit(1140484904.278:13): avc:  denied  { read } for  pid=820
comm="sh" name="[2281]" dev=eventpollfs ino=2281
scontext=root:system_r:httpd_sys_script_t:s0
tcontext=system_u:object_r:eventpollfs_t:s0 tclass=file
type=SYSCALL msg=audit(1140484904.278:13): arch=40000003 syscall=11 success=yes
exit=0 a0=549017 a1=bfef599c a2=bfefa9bc a3=400 items=2 pid=820 auid=0 uid=48
gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 comm="sh" exe="/bin/bash"
type=AVC_PATH msg=audit(1140484904.278:13):  path="eventpoll:[2281]"
type=AVC_PATH msg=audit(1140484904.278:13):  path="/bin/bash"
type=CWD msg=audit(1140484904.278:13): 
cwd="/home/shokanwesleyan/public_html/wp-admin"
type=PATH msg=audit(1140484904.278:13): item=0 name="/bin/sh" flags=101 
inode=10780706 dev=ca:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1140484904.278:13): item=1 flags=101  inode=5211418
dev=ca:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1140484919.179:14): avc:  denied  { name_connect } for 
pid=813 comm="httpd" dest=3306 scontext=root:system_r:httpd_t:s0
tcontext=system_u:object_r:mysqld_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1140484919.179:14): arch=40000003 syscall=102 success=no
exit=-115 a0=3 a1=bfef3710 a2=16bc0a0 a3=2 items=0 pid=813 auid=0 uid=48 gid=48
euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 comm="httpd" exe="/usr/sbin/httpd"
type=SOCKADDR msg=audit(1140484919.179:14): saddr=02000CEA40BFB45D0000000000000000
type=SOCKETCALL msg=audit(1140484919.179:14): nargs=3 a0=d a1=bfef4118 a2=10
type=AVC msg=audit(1140484929.367:15): avc:  denied  { name_connect } for 
pid=809 comm="httpd" dest=80 scontext=root:system_r:httpd_t:s0
tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1140484929.367:15): arch=40000003 syscall=102 success=no
exit=-115 a0=3 a1=bfef4fb0 a2=1208858 a3=97f4f0c items=0 pid=809 auid=0 uid=48
gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 comm="httpd"
exe="/usr/sbin/httpd"
type=SOCKADDR msg=audit(1140484929.367:15): saddr=02000050D1EDE2ED0000000000000000
type=SOCKETCALL msg=audit(1140484929.367:15): nargs=3 a0=e a1=97f4f0c a2=10
Comment 1 Daniel Walsh 2006-02-21 22:54:58 UTC 
First try to turn on these booleans

setsebool -P httpd_can_network_connect_db=1 httpd_can_network_connect=1

That should allow the httpd to connect to other machines.
Comment 2 Daniel Walsh 2006-02-22 00:03:59 UTC 
FIxed in  2.2.19-2
Comment 3 Nathaniel McCallum 2006-02-22 20:16:16 UTC 
Works great!  Thanks for such a quick fix!