From: craig@rootwork.it (Craig Finch) Date: Wed, 26 Oct 2016 12:41:11 -0400 Subject: [refpolicy] Allow HTTPD to connect to SQL via UNIX socket Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com I haven't found any existing SELinux configuration that would allow HTTPD to connect to MySQL via a UNIX socket. We have created a custom policy that allows this connection, but I want to make sure that we aren't "reinventing the wheel." 1. Is there an existing combination of booleans and/or contexts that would allow HTTPD to connect to a local UNIX socket? 2. If not, do you have any feedback on our custom policy (included at the end of this message)? To be specific, I have a CentOS 7 instance that is running Apache and Cloud SQL Proxy on Google Compute Engine. Apache connects to the proxy via a UNIX socket on localhost, and the proxy connects to Google Cloud SQL. I know that the proxy is able to connect to Cloud SQL, but Apache is denied from connecting to the proxy on the UNIX socket. The error message is: type=SYSCALL msg=audit(1477499164.189:16817): arch=c000003e syscall=42 success=no exit=-13 a0=b a1=7ffdb42bef20 a2=32 a3=4 items=0 ppid=6868 pid=7394 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1477499164.189:16817): avc: denied { write } for pid=7394 comm="httpd" name="REDACTED" dev="sda1" ino=17918851 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=sock_file The custom policy: ## Start httpdsockpolicy.te module httpdsockpolicy 1.0; require { type httpd_t; type default_t; class sock_file write; } #============= httpd_t ============== allow httpd_t default_t:sock_file write; # End httpdsockpolicy.te -- Craig Finch Principal Consultant Rootwork InfoTech LLC Direct Phone: 321.209.8088 Rootwork Phone: 321.209.2447 www.rootwork.it -------------- next part -------------- An HTML attachment was scrubbed... URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20161026/f9055c90/attachment.html