Bug 182346 - selinux stops httpd from accessing external databases
selinux stops httpd from accessing external databases
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-02-21 17:34 EST by Nathaniel McCallum
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version: 2.2.19-2
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-05-05 10:54:56 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Nathaniel McCallum 2006-02-21 17:34:26 EST
Description of problem:
If you load a program like drupal, joomla, wordpress etc and set them to use a
database server that is outside of the current httpd server (ie. on a different
ip address), selinux denies access.

Steps to Reproduce:
1. Setup a database server (192.168.1.1)
2. Setup a web server (192.168.1.2)
3. Setup wordpress, configured to use the database server
4. Try to log onto wordpress
  
Actual results:
"Cannot establish connection with database."

Expected results:
Works.

Additional info:
A workaround is to disable selinux.  However, this is (obviously) not desireable.

From the logs:
type=AVC msg=audit(1140484860.955:12): avc:  denied  { name_connect } for 
pid=808 comm="httpd" dest=3306 scontext=root:system_r:httpd_t:s0
tcontext=system_u:object_r:mysqld_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1140484860.955:12): arch=40000003 syscall=102 success=no
exit=-115 a0=3 a1=bfef4c30 a2=16bc0a0 a3=2 items=0 pid=808 auid=0 uid=48 gid=48
euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 comm="httpd" exe="/usr/sbin/httpd"
type=SOCKADDR msg=audit(1140484860.955:12): saddr=02000CEA40BFB45D0000000000000000
type=SOCKETCALL msg=audit(1140484860.955:12): nargs=3 a0=d a1=bfef5638 a2=10
type=AVC msg=audit(1140484904.278:13): avc:  denied  { entrypoint } for  pid=820
comm="httpd" name="bash" dev=xvda1 ino=10780706
scontext=root:system_r:httpd_sys_script_t:s0
tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
type=AVC msg=audit(1140484904.278:13): avc:  denied  { read } for  pid=820
comm="sh" name="[2281]" dev=eventpollfs ino=2281
scontext=root:system_r:httpd_sys_script_t:s0
tcontext=system_u:object_r:eventpollfs_t:s0 tclass=file
type=SYSCALL msg=audit(1140484904.278:13): arch=40000003 syscall=11 success=yes
exit=0 a0=549017 a1=bfef599c a2=bfefa9bc a3=400 items=2 pid=820 auid=0 uid=48
gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 comm="sh" exe="/bin/bash"
type=AVC_PATH msg=audit(1140484904.278:13):  path="eventpoll:[2281]"
type=AVC_PATH msg=audit(1140484904.278:13):  path="/bin/bash"
type=CWD msg=audit(1140484904.278:13): 
cwd="/home/shokanwesleyan/public_html/wp-admin"
type=PATH msg=audit(1140484904.278:13): item=0 name="/bin/sh" flags=101 
inode=10780706 dev=ca:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1140484904.278:13): item=1 flags=101  inode=5211418
dev=ca:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1140484919.179:14): avc:  denied  { name_connect } for 
pid=813 comm="httpd" dest=3306 scontext=root:system_r:httpd_t:s0
tcontext=system_u:object_r:mysqld_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1140484919.179:14): arch=40000003 syscall=102 success=no
exit=-115 a0=3 a1=bfef3710 a2=16bc0a0 a3=2 items=0 pid=813 auid=0 uid=48 gid=48
euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 comm="httpd" exe="/usr/sbin/httpd"
type=SOCKADDR msg=audit(1140484919.179:14): saddr=02000CEA40BFB45D0000000000000000
type=SOCKETCALL msg=audit(1140484919.179:14): nargs=3 a0=d a1=bfef4118 a2=10
type=AVC msg=audit(1140484929.367:15): avc:  denied  { name_connect } for 
pid=809 comm="httpd" dest=80 scontext=root:system_r:httpd_t:s0
tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1140484929.367:15): arch=40000003 syscall=102 success=no
exit=-115 a0=3 a1=bfef4fb0 a2=1208858 a3=97f4f0c items=0 pid=809 auid=0 uid=48
gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 comm="httpd"
exe="/usr/sbin/httpd"
type=SOCKADDR msg=audit(1140484929.367:15): saddr=02000050D1EDE2ED0000000000000000
type=SOCKETCALL msg=audit(1140484929.367:15): nargs=3 a0=e a1=97f4f0c a2=10
Comment 1 Daniel Walsh 2006-02-21 17:54:58 EST
First try to turn on these booleans

setsebool -P httpd_can_network_connect_db=1 httpd_can_network_connect=1

That should allow the httpd to connect to other machines.

Comment 2 Daniel Walsh 2006-02-21 19:03:59 EST
FIxed in  2.2.19-2
Comment 3 Nathaniel McCallum 2006-02-22 15:16:16 EST
Works great!  Thanks for such a quick fix!

Note You need to log in before you can comment on or make changes to this bug.