164867 – SELinux policy prevents making connection to external mysql servers

Bug 164867 - SELinux policy prevents making connection to external mysql servers

Summary: SELinux policy prevents making connection to external mysql servers

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	php
Sub Component:
Version:	4
Hardware:	i386
OS:	Linux
Priority:	medium
Severity:	low
Target Milestone:	---
Assignee:	Joe Orton
QA Contact:	David Lawrence
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2005-08-02 01:56 UTC by Ian Neubert
Modified:	2007-11-30 22:11 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2005-08-02 07:58:05 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Ian Neubert 2005-08-02 01:56:41 UTC

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.7.8) Gecko/20050516 Firefox/1.0.4

Description of problem:
The SELinux policies set by default with php-mysql-5.0.4-10.3 and httpd-2.0.54-10 prevent the mysql_connect() function from connecting to MySQL servers external to the local machine. They may also prevent connecting to local MySQL servers, but I did not test that personally.

For a related issue see:
http://forums.fedoraforum.org/forum/showthread.php?t=65245

Having some more info on how to fix this would be great, or just enable it by default would be best (at least for me :)

Version-Release number of selected component (if applicable):
php-mysql-5.0.4-10.3

How reproducible:
Always

Steps to Reproduce:
1. yum install php-mysql
2. Create a php script that calls a remote mysql server with mysql_connect()
3. Run the script, php will not be able to connect to MySQL
  

Actual Results:  /var/log/audit/audit.log

type=AVC msg=audit(1122944817.122:710173): avc:  denied  { name_connect } for  pid=3146 comm="httpd" dest=3306 scontext=root:system_r:httpd_t tcontext=system_u:object_r:mysqld_port_t tclass=tcp_socket
type=SYSCALL msg=audit(1122944817.122:710173): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf7ffb60 a2=35c43b0 a3=2 items=0 pid=3146 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 comm="httpd" exe="/usr/sbin/httpd"
type=SOCKADDR msg=audit(1122944817.122:710173): saddr=02000CEA4519E8770000000000000000
type=SOCKETCALL msg=audit(1122944817.122:710173): nargs=3 a0=d a1=bf800d44 a2=10

Expected Results:  This should have worked correctly.

Additional info:

To make it work I added the SELinux policy in /etc/selinux/targeted/src/policy/domains/misc/local.te like so:

allow httpd_t mysqld_port_t:tcp_socket { name_connect };

Comment 1 Joe Orton 2005-08-02 07:58:05 UTC

This is due to the SELinux policy, which prevents httpd processes from
making outgoing network connections by default.  The
httpd_can_network_connect boolean can be used to change this
behaviour; to allow connections:

  setsebool httpd_can_network_connect=1

passing the -P argument to set the boolean permanently (across
reboots).

For further information on SELinux/Apache integration in Fedora Core,
please see: http://fedora.redhat.com/docs/selinux-apache-fc3/

For general information on SELinux in Fedora Core, please see:
http://fedora.redhat.com/docs/selinux-faq-fc3/

Note You need to log in before you can comment on or make changes to this bug.