Hi,

Selinux is preventing apache to access mysql. Now, I've already spent alot of time researching on this well-known problem, so I know the main methods of fixing this is either disabling selinux, updating the selinux-policy-targeted package or writing a new policy, however, the machine I am trying to fix is a remote production machine which can not be rebooted and also mysqld can not be restarted (restarting httpd is fine). Installing/upgrading packages seems too risky.

1. So far the safest solution is "setsebool httpd_disable_trans 1" or "setenable 0". I've toggled with these commands on different machines many times but paranoid that bad luck may strike me when I run it on the production machine. My paranoia is probably due to my lack of deeper understanding what selinux is doing, and the fact that my ass is on the line. Can changing these values have a negative effect on currently running processes in any way?

2. Are there other alternatives, that don't require a restart or installation of packages? Without compromising security like the above?

3. Is it possible to create a new policy for httpd to run in, and allow it to access mysql. While being secure and not having to restart mysqld?

Your help is greatly appreciated.

FC3
selinux-policy-targeted 1.17.30-2.19
mysql 4.1.8
httpd 2.0.52
php 4.3.11 (php-mysql 4.3.11)

Selinux is preventing apache to access mysql.
Posting actual error messages (and relevant parts of the policy) can speed up problem solving.


the machine I am trying to fix is a remote production machine which can not be rebooted and also mysqld can not be restarted
Why not?


Setting SELinux to "permissive" or disable it for a service is a bypass, not a solution. Reading up on SELinux (man 8 httpd_selinux ?) and using a staging box to practice policy checking and building on before deploying it to a production server is the best advice I can give as I don't use SELinux. The Tresys tools look most promising (being documented, used, updated, maintained and all that):
Policy Tools for SELinux: http://www.tresys.com/selinux/selinu...cy_tools.shtml
SELinux policy editor: http://www.selinux.hitachi-sk.co.jp/...selpe-top.html
Tools for Managing SELinux: http://cops.csci.unt.edu/projects/selinux/main.html
Again, posting actual error messages and relevant parts of the policy can speed up problem solving.

I'm trying to install the cacti monitoring tool on a clients machine with as little interference as possible. The reason why is because the client needs the machine to always be "up".

I get the following error many times in the /etc/httpd/log/error_log file whenever I run any php file. In particular, index.php.

[client 127.0.0.1] PHP Warning: mysql_pconnect(): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (13) in /var/www/cacti/lib/adodb/drivers/adodb-mysql.inc.php on line 355

However, I've made sure all necessary packages are installed and checked that "php index.php" outputs fine.

In /var/log/messages, I get many avc messages:

Jan 17 10:39:22 platypus kernel: audit(1137454762.887:0): avc: denied { search } for pid=24719 exe=/usr/sbin/httpd dev=dm-3 ino=2 scontext=root:system_r:httpd_t tcontext=system_u:object_r:file_t tclass=dir

grep outputs show that the httpd process is running in "root:system_r:httpd_t" and mysqld in "user_u:system_r:unconfined_t".

I'll have a look at those tools, thanks. In the meantime, anymore advice is welcome!

Also take a look at the man page of audit2allow. It will generate new policies based on avc messages in system logs and should be installed by default. Be careful that you don't unintentionally open security holes by allowing something that shouldn't.