LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 01-16-2006, 01:26 AM   #1
gttommy
LQ Newbie
 
Registered: Jan 2006
Posts: 4

Rep: Reputation: 0
SELinux problem


Hi,

Selinux is preventing apache to access mysql. Now, I've already spent alot of time researching on this well-known problem, so I know the main methods of fixing this is either disabling selinux, updating the selinux-policy-targeted package or writing a new policy, however, the machine I am trying to fix is a remote production machine which can not be rebooted and also mysqld can not be restarted (restarting httpd is fine). Installing/upgrading packages seems too risky.

1. So far the safest solution is "setsebool httpd_disable_trans 1" or "setenable 0". I've toggled with these commands on different machines many times but paranoid that bad luck may strike me when I run it on the production machine. My paranoia is probably due to my lack of deeper understanding what selinux is doing, and the fact that my ass is on the line. Can changing these values have a negative effect on currently running processes in any way?

2. Are there other alternatives, that don't require a restart or installation of packages? Without compromising security like the above?

3. Is it possible to create a new policy for httpd to run in, and allow it to access mysql. While being secure and not having to restart mysqld?

Your help is greatly appreciated.

FC3
selinux-policy-targeted 1.17.30-2.19
mysql 4.1.8
httpd 2.0.52
php 4.3.11 (php-mysql 4.3.11)
 
Old 01-16-2006, 08:16 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,470
Blog Entries: 54

Rep: Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900
Selinux is preventing apache to access mysql.
Posting actual error messages (and relevant parts of the policy) can speed up problem solving.


the machine I am trying to fix is a remote production machine which can not be rebooted and also mysqld can not be restarted
Why not?


Setting SELinux to "permissive" or disable it for a service is a bypass, not a solution. Reading up on SELinux (man 8 httpd_selinux ?) and using a staging box to practice policy checking and building on before deploying it to a production server is the best advice I can give as I don't use SELinux. The Tresys tools look most promising (being documented, used, updated, maintained and all that):
Policy Tools for SELinux: http://www.tresys.com/selinux/selinu...cy_tools.shtml
SELinux policy editor: http://www.selinux.hitachi-sk.co.jp/...selpe-top.html
Tools for Managing SELinux: http://cops.csci.unt.edu/projects/selinux/main.html
Again, posting actual error messages and relevant parts of the policy can speed up problem solving.
 
Old 01-16-2006, 06:03 PM   #3
gttommy
LQ Newbie
 
Registered: Jan 2006
Posts: 4

Original Poster
Rep: Reputation: 0
I'm trying to install the cacti monitoring tool on a clients machine with as little interference as possible. The reason why is because the client needs the machine to always be "up".

I get the following error many times in the /etc/httpd/log/error_log file whenever I run any php file. In particular, index.php.

[client 127.0.0.1] PHP Warning: mysql_pconnect(): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (13) in /var/www/cacti/lib/adodb/drivers/adodb-mysql.inc.php on line 355

However, I've made sure all necessary packages are installed and checked that "php index.php" outputs fine.

In /var/log/messages, I get many avc messages:

Jan 17 10:39:22 platypus kernel: audit(1137454762.887:0): avc: denied { search } for pid=24719 exe=/usr/sbin/httpd dev=dm-3 ino=2 scontext=root:system_r:httpd_t tcontext=system_u:object_r:file_t tclass=dir

grep outputs show that the httpd process is running in "root:system_r:httpd_t" and mysqld in "user_u:system_r:unconfined_t".

I'll have a look at those tools, thanks. In the meantime, anymore advice is welcome!

Last edited by gttommy; 01-16-2006 at 06:05 PM.
 
Old 01-16-2006, 07:25 PM   #4
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Also take a look at the man page of audit2allow. It will generate new policies based on avc messages in system logs and should be installed by default. Be careful that you don't unintentionally open security holes by allowing something that shouldn't.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
SELinux problem stormtracknole Fedora 1 11-12-2005 09:25 AM
FC3 SELinux problem richard.reyes Linux - Software 0 08-02-2005 12:21 PM
SELinux problem... casttellum Linux - Security 1 03-07-2005 11:25 PM
FC3 SElinux 403 problem.... darkinsanity429 Linux - Networking 0 12-08-2004 02:45 PM
problem when emerging selinux-base-policy-20040906 Snerkel Linux - Distributions 0 10-24-2004 07:58 PM


All times are GMT -5. The time now is 04:56 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration