Bug 1283396 - SELinux is preventing httpd from 'name_connect' accesses on the tcp_socket port 3306.
SELinux is preventing httpd from 'name_connect' accesses on the tcp_socket po...
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
23
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
abrt_hash:f55faa448aa60c909e2400fdb28...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-11-18 16:12 EST by Sam
Modified: 2016-04-11 16:16 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-11-20 09:26:22 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Sam 2015-11-18 16:12:35 EST
Description of problem:
SELinux is preventing httpd from 'name_connect' accesses on the tcp_socket port 3306.

*****  Plugin catchall_boolean (47.5 confidence) suggests   ******************

If quiere allow httpd to can network connect
Then debe informar a SELinux de ésto activando el booleano 'httpd_can_network_connect'.
Puede leer la página de manual 'None' para más detalles.
Do
setsebool -P httpd_can_network_connect 1

*****  Plugin catchall_boolean (47.5 confidence) suggests   ******************

If quiere allow httpd to can network connect db
Then debe informar a SELinux de ésto activando el booleano 'httpd_can_network_connect_db'.
Puede leer la página de manual 'None' para más detalles.
Do
setsebool -P httpd_can_network_connect_db 1

*****  Plugin catchall (6.38 confidence) suggests   **************************

If cree que de manera predeterminada, httpd debería permitir acceso name_connect sobre  port 3306 tcp_socket.     
Then debería reportar esto como un error.
Puede generar un módulo de política local para permitir este acceso.
Do
permita el acceso momentáneamente executando:
# grep httpd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                system_u:object_r:mysqld_port_t:s0
Target Objects                port 3306 [ tcp_socket ]
Source                        httpd
Source Path                   httpd
Port                          3306
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-154.fc23.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.2.5-300.fc23.x86_64 #1 SMP Tue
                              Oct 27 04:29:56 UTC 2015 x86_64 x86_64
Alert Count                   1
First Seen                    2015-11-18 15:10:49 CST
Last Seen                     2015-11-18 15:10:49 CST
Local ID                      7559100b-e08f-459b-8fa5-fdb8b52d4aae

Raw Audit Messages
type=AVC msg=audit(1447881049.531:998): avc:  denied  { name_connect } for  pid=24933 comm="httpd" dest=3306 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mysqld_port_t:s0 tclass=tcp_socket permissive=0


Hash: httpd,httpd_t,mysqld_port_t,tcp_socket,name_connect

Version-Release number of selected component:
selinux-policy-3.13.1-154.fc23.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.2.5-300.fc23.x86_64
type:           libreport

Potential duplicate: bug 872624
Comment 1 Milos Malik 2015-11-19 09:21:27 EST
Does the scenario work as expected when you enable the httpd_can_network_connect_db boolean?
Comment 2 Miroslav Grepl 2015-11-20 09:27:36 EST
Yes, it should work with

# setsebool -P httpd_can_network_connect_db 1

If not, please reopen the bug. Thank you.
Comment 3 Pratik 2016-04-08 05:56:30 EDT
Description of problem:
I am not sure what caused this problem. 
But this alert occured as soon as I finished setting up LAMP. 
This is what I was doing before alert:
1. sudo dnf update
2. dnf install httpd (then I enabled httpd service)
3. dnf install php php-mysql
4. dnf install mariadb-server (enabled mariadb)
5. mysql_secure_installation	
6. sudo systemctl restart httpd.service

After this setup I was trying to connect to mysql database on localhost in my web project and I think that triggered this error. It could be firwall issue as well. 

Version-Release number of selected component:
selinux-policy-3.13.1-158.12.fc23.noarch

Additional info:
reporter:       libreport-2.6.4
hashmarkername: setroubleshoot
kernel:         4.4.6-300.fc23.x86_64
type:           libreport
Comment 4 Daniel Walsh 2016-04-11 16:16:37 EDT
We don't allow apache services to connect to random ports by default. If you setup an apache service that needs to connect to database ports, the sealert/setroubleshoot tells you how to fix.

If quiere allow httpd to can network connect db
Then debe informar a SELinux de ésto activando el booleano 'httpd_can_network_connect_db'.
Puede leer la página de manual 'None' para más detalles.
Do
setsebool -P httpd_can_network_connect_db 1

Note You need to log in before you can comment on or make changes to this bug.