Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 01-16-2006, 01:26 AM   #1
LQ Newbie
Registered: Jan 2006
Posts: 4

Rep: Reputation: 0
SELinux problem


Selinux is preventing apache to access mysql. Now, I've already spent alot of time researching on this well-known problem, so I know the main methods of fixing this is either disabling selinux, updating the selinux-policy-targeted package or writing a new policy, however, the machine I am trying to fix is a remote production machine which can not be rebooted and also mysqld can not be restarted (restarting httpd is fine). Installing/upgrading packages seems too risky.

1. So far the safest solution is "setsebool httpd_disable_trans 1" or "setenable 0". I've toggled with these commands on different machines many times but paranoid that bad luck may strike me when I run it on the production machine. My paranoia is probably due to my lack of deeper understanding what selinux is doing, and the fact that my ass is on the line. Can changing these values have a negative effect on currently running processes in any way?

2. Are there other alternatives, that don't require a restart or installation of packages? Without compromising security like the above?

3. Is it possible to create a new policy for httpd to run in, and allow it to access mysql. While being secure and not having to restart mysqld?

Your help is greatly appreciated.

selinux-policy-targeted 1.17.30-2.19
mysql 4.1.8
httpd 2.0.52
php 4.3.11 (php-mysql 4.3.11)
Old 01-16-2006, 08:16 AM   #2
Registered: May 2001
Posts: 29,273
Blog Entries: 55

Rep: Reputation: 3513Reputation: 3513Reputation: 3513Reputation: 3513Reputation: 3513Reputation: 3513Reputation: 3513Reputation: 3513Reputation: 3513Reputation: 3513Reputation: 3513
Selinux is preventing apache to access mysql.
Posting actual error messages (and relevant parts of the policy) can speed up problem solving.

the machine I am trying to fix is a remote production machine which can not be rebooted and also mysqld can not be restarted
Why not?

Setting SELinux to "permissive" or disable it for a service is a bypass, not a solution. Reading up on SELinux (man 8 httpd_selinux ?) and using a staging box to practice policy checking and building on before deploying it to a production server is the best advice I can give as I don't use SELinux. The Tresys tools look most promising (being documented, used, updated, maintained and all that):
Policy Tools for SELinux:
SELinux policy editor:
Tools for Managing SELinux:
Again, posting actual error messages and relevant parts of the policy can speed up problem solving.
Old 01-16-2006, 06:03 PM   #3
LQ Newbie
Registered: Jan 2006
Posts: 4

Original Poster
Rep: Reputation: 0
I'm trying to install the cacti monitoring tool on a clients machine with as little interference as possible. The reason why is because the client needs the machine to always be "up".

I get the following error many times in the /etc/httpd/log/error_log file whenever I run any php file. In particular, index.php.

[client] PHP Warning: mysql_pconnect(): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (13) in /var/www/cacti/lib/adodb/drivers/ on line 355

However, I've made sure all necessary packages are installed and checked that "php index.php" outputs fine.

In /var/log/messages, I get many avc messages:

Jan 17 10:39:22 platypus kernel: audit(1137454762.887:0): avc: denied { search } for pid=24719 exe=/usr/sbin/httpd dev=dm-3 ino=2 scontext=root:system_r:httpd_t tcontext=system_u:object_r:file_t tclass=dir

grep outputs show that the httpd process is running in "root:system_r:httpd_t" and mysqld in "user_u:system_r:unconfined_t".

I'll have a look at those tools, thanks. In the meantime, anymore advice is welcome!

Last edited by gttommy; 01-16-2006 at 06:05 PM.
Old 01-16-2006, 07:25 PM   #4
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Also take a look at the man page of audit2allow. It will generate new policies based on avc messages in system logs and should be installed by default. Be careful that you don't unintentionally open security holes by allowing something that shouldn't.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
SELinux problem stormtracknole Fedora 1 11-12-2005 09:25 AM
FC3 SELinux problem richard.reyes Linux - Software 0 08-02-2005 12:21 PM
SELinux problem... casttellum Linux - Security 1 03-07-2005 11:25 PM
FC3 SElinux 403 problem.... darkinsanity429 Linux - Networking 0 12-08-2004 02:45 PM
problem when emerging selinux-base-policy-20040906 Snerkel Linux - Distributions 0 10-24-2004 07:58 PM

All times are GMT -5. The time now is 03:52 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration