2016-10-26 16:41:11

by craig

[permalink] [raw]
Subject: [refpolicy] Allow HTTPD to connect to SQL via UNIX socket

I haven't found any existing SELinux configuration that would allow HTTPD
to connect to MySQL via a UNIX socket. We have created a custom policy that
allows this connection, but I want to make sure that we aren't "reinventing
the wheel."

1. Is there an existing combination of booleans and/or contexts that would
allow HTTPD to connect to a local UNIX socket?
2. If not, do you have any feedback on our custom policy (included at the
end of this message)?

To be specific, I have a CentOS 7 instance that is running Apache and Cloud
SQL Proxy on Google Compute Engine. Apache connects to the proxy via a UNIX
socket on localhost, and the proxy connects to Google Cloud SQL. I know
that the proxy is able to connect to Cloud SQL, but Apache is denied from
connecting to the proxy on the UNIX socket. The error message is:

type=SYSCALL msg=audit(1477499164.189:16817): arch=c000003e syscall=42
success=no exit=-13 a0=b a1=7ffdb42bef20 a2=32 a3=4 items=0 ppid=6868
pid=7394 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48
sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd"
exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1477499164.189:16817): avc: denied { write } for
pid=7394 comm="httpd" name="REDACTED" dev="sda1" ino=17918851
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:default_t:s0 tclass=sock_file


The custom policy:

## Start httpdsockpolicy.te

module httpdsockpolicy 1.0;

require {
type httpd_t;
type default_t;
class sock_file write;
}

#============= httpd_t ==============
allow httpd_t default_t:sock_file write;

# End httpdsockpolicy.te

--
Craig Finch
Principal Consultant
Rootwork InfoTech LLC
Direct Phone: 321.209.8088
Rootwork Phone: 321.209.2447
http://www.rootwork.it
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20161026/f9055c90/attachment.html


2016-10-26 18:03:32

by rfkrocktk

[permalink] [raw]
Subject: [refpolicy] Allow HTTPD to connect to SQL via UNIX socket

Craig, please see below:

$ sudo sesearch --allow -s httpd_t -t mysqld_var_run_t | head
Found 7 semantic av rules:
allow httpd_t mysqld_var_run_t : dir { getattr search open } ;
allow httpd_t mysqld_var_run_t : sock_file { write getattr append open } ;
allow httpd_t file_type : filesystem getattr ;
allow httpd_t file_type : dir { getattr search open } ;
allow nsswitch_domain pidfile : dir { getattr search open } ;
allow nsswitch_domain pidfile : dir { getattr search open } ;
allow nsswitch_domain pidfile : dir { getattr search open } ;

This was run on RHEL 7.2. I'm not sure if refpolicy has this, but I
believe it does.
Thanks,
- Naftuli Kay


On Wed, Oct 26, 2016 at 9:41 AM, Craig Finch via refpolicy
<[email protected]> wrote:
> I haven't found any existing SELinux configuration that would allow HTTPD to
> connect to MySQL via a UNIX socket. We have created a custom policy that
> allows this connection, but I want to make sure that we aren't "reinventing
> the wheel."
>
> 1. Is there an existing combination of booleans and/or contexts that would
> allow HTTPD to connect to a local UNIX socket?
> 2. If not, do you have any feedback on our custom policy (included at the
> end of this message)?
>
> To be specific, I have a CentOS 7 instance that is running Apache and Cloud
> SQL Proxy on Google Compute Engine. Apache connects to the proxy via a UNIX
> socket on localhost, and the proxy connects to Google Cloud SQL. I know that
> the proxy is able to connect to Cloud SQL, but Apache is denied from
> connecting to the proxy on the UNIX socket. The error message is:
>
> type=SYSCALL msg=audit(1477499164.189:16817): arch=c000003e syscall=42
> success=no exit=-13 a0=b a1=7ffdb42bef20 a2=32 a3=4 items=0 ppid=6868
> pid=7394 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48
> sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd"
> exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
> type=AVC msg=audit(1477499164.189:16817): avc: denied { write } for
> pid=7394 comm="httpd" name="REDACTED" dev="sda1" ino=17918851
> scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:default_t:s0 tclass=sock_file
>
>
> The custom policy:
>
> ## Start httpdsockpolicy.te
>
> module httpdsockpolicy 1.0;
>
> require {
> type httpd_t;
> type default_t;
> class sock_file write;
> }
>
> #============= httpd_t ==============
> allow httpd_t default_t:sock_file write;
>
> # End httpdsockpolicy.te
>
> --
> Craig Finch
> Principal Consultant
> Rootwork InfoTech LLC
> Direct Phone: 321.209.8088
> Rootwork Phone: 321.209.2447
> http://www.rootwork.it
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>