Bug 164867 - SELinux policy prevents making connection to external mysql servers
Summary: SELinux policy prevents making connection to external mysql servers
Alias: None
Product: Fedora
Classification: Fedora
Component: php
Version: 4
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Joe Orton
QA Contact: David Lawrence
Depends On:
TreeView+ depends on / blocked
Reported: 2005-08-02 01:56 UTC by Ian Neubert
Modified: 2007-11-30 22:11 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2005-08-02 07:58:05 UTC
Type: ---

Attachments (Terms of Use)

Description Ian Neubert 2005-08-02 01:56:41 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.7.8) Gecko/20050516 Firefox/1.0.4

Description of problem:
The SELinux policies set by default with php-mysql-5.0.4-10.3 and httpd-2.0.54-10 prevent the mysql_connect() function from connecting to MySQL servers external to the local machine. They may also prevent connecting to local MySQL servers, but I did not test that personally.

For a related issue see:

Having some more info on how to fix this would be great, or just enable it by default would be best (at least for me :)

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. yum install php-mysql
2. Create a php script that calls a remote mysql server with mysql_connect()
3. Run the script, php will not be able to connect to MySQL

Actual Results:  /var/log/audit/audit.log

type=AVC msg=audit(1122944817.122:710173): avc:  denied  { name_connect } for  pid=3146 comm="httpd" dest=3306 scontext=root:system_r:httpd_t tcontext=system_u:object_r:mysqld_port_t tclass=tcp_socket
type=SYSCALL msg=audit(1122944817.122:710173): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf7ffb60 a2=35c43b0 a3=2 items=0 pid=3146 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 comm="httpd" exe="/usr/sbin/httpd"
type=SOCKADDR msg=audit(1122944817.122:710173): saddr=02000CEA4519E8770000000000000000
type=SOCKETCALL msg=audit(1122944817.122:710173): nargs=3 a0=d a1=bf800d44 a2=10

Expected Results:  This should have worked correctly.

Additional info:

To make it work I added the SELinux policy in /etc/selinux/targeted/src/policy/domains/misc/local.te like so:

allow httpd_t mysqld_port_t:tcp_socket { name_connect };

Comment 1 Joe Orton 2005-08-02 07:58:05 UTC
This is due to the SELinux policy, which prevents httpd processes from
making outgoing network connections by default.  The
httpd_can_network_connect boolean can be used to change this
behaviour; to allow connections:

  setsebool httpd_can_network_connect=1

passing the -P argument to set the boolean permanently (across

For further information on SELinux/Apache integration in Fedora Core,
please see: http://fedora.redhat.com/docs/selinux-apache-fc3/

For general information on SELinux in Fedora Core, please see:

Note You need to log in before you can comment on or make changes to this bug.