Bug 663535 - httpd cannot connect to mysql.sock under most recent SELinux policy on CentOS 5
httpd cannot connect to mysql.sock under most recent SELinux policy on CentOS 5
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
i686 Linux
low Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
BaseOS QE Security Team
Depends On:
  Show dependency treegraph
Reported: 2010-12-16 00:15 EST by Erik Schneider
Modified: 2010-12-22 09:21 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2010-12-22 09:21:19 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Erik Schneider 2010-12-16 00:15:29 EST
Attempting to use PHP application needing to connect to MySQL via local socket. httpd was prevented from connecting unless SELinux set to Permissive. Details below:

SELinux is preventing httpd (httpd_t) "connectto" to /var/lib/mysql/mysql.sock (unconfined_t). 

Detailed Description
[SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.]
SELinux denied access requested by httpd. It is not expected that this access is required by httpd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. 

Allowing Access
You can generate a local policy module to allow this access - see FAQ Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report against this package. 

Additional Information
Source Context:  user_u:system_r:httpd_t
Target Context:  user_u:system_r:unconfined_t
Target Objects:  /var/lib/mysql/mysql.sock [ unix_stream_socket ]
Source:  httpd
Source Path:  /usr/sbin/httpd
Port:  <Unknown>Host:  localhost.localdomain
Source RPM Packages:  httpd-2.2.3-43.el5.centos.3
Target RPM Packages:  
Policy RPM:  selinux-policy-2.4.6-279.el5_5.2
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Permissive
Plugin Name:  catchall
Host Name:  localhost.localdomain
Platform:  Linux localhost.localdomain 2.6.18-194.26.1.el5.centos.plus #1 SMP Wed Nov 10 12:06:47 EST 2010 i686 i686
Alert Count:  26
First Seen:  Sat 25 Sep 2010 03:51:17 AM PDT
Last Seen:  Wed 15 Dec 2010 08:40:47 PM PST
Local ID:  f8797ad7-4e7e-46a8-87c4-d6d9651871b8
Line Numbers:  

Raw Audit Messages :host=localhost.localdomain type=AVC msg=audit(1292474447.653:130): avc: denied { connectto } for pid=4577 comm="httpd" path="/var/lib/mysql/mysql.sock" scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=unix_stream_socket 

host=localhost.localdomain type=SYSCALL msg=audit(1292474447.653:130): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=bf85c2e0 a2=1246718 a3=8a3a1bc items=0 ppid=3998 pid=4577 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=3 comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null) 

localhost ~]$ /usr/sbin/getsebool -a | grep httpd
allow_httpd_anon_write --> off
allow_httpd_bugzilla_script_anon_write --> off
allow_httpd_cvs_script_anon_write --> off
allow_httpd_mod_auth_pam --> off
allow_httpd_nagios_script_anon_write --> off
allow_httpd_prewikka_script_anon_write --> off
allow_httpd_squid_script_anon_write --> off
allow_httpd_sys_script_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_network_connect --> on
httpd_can_network_connect_db --> on
httpd_can_network_relay --> off
httpd_can_sendmail --> on
httpd_disable_trans --> off
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> on
httpd_read_user_content --> off
httpd_rotatelogs_disable_trans --> off
httpd_ssi_exec --> off
httpd_suexec_disable_trans --> off
httpd_tty_comm --> on
httpd_unified --> on
httpd_use_cifs --> off
httpd_use_nfs --> off
Comment 1 Miroslav Grepl 2010-12-16 04:45:18 EST
Are you running mysql directly? Not from the service script?

What is your output of

# ps -eZ | grep mysql
Comment 2 Erik Schneider 2010-12-19 06:25:40 EST
Yes I am running mysql directly as user mysql and running httpd directly as well.

ps -eZ | grep mysql

user_u:system_r:unconfined_t    14503 pts/3    00:00:00 mysqld_safe
user_u:system_r:unconfined_t    14531 pts/3    00:00:00 mysqld
Comment 3 Daniel Walsh 2010-12-20 09:29:41 EST
Is this just for testing?  Ordinarily mysql will be run by system init?
Comment 4 Erik Schneider 2010-12-22 09:17:11 EST
Yes this is for testing. I see that SE Linux does not protest if I have started MySQL from the service script. I do not know yet exactly how I will configure this to run in production.

I filed the bug report mainly because the SE Linux notice asked me to and I tend to do what I am told. Well, when asked nicely. :)
Comment 5 Daniel Walsh 2010-12-22 09:21:19 EST
Ok, I will close then.

Note You need to log in before you can comment on or make changes to this bug.