From: craig@rootwork.it (Craig Finch)
Date: Wed, 26 Oct 2016 12:41:11 -0400
Subject: [refpolicy] Allow HTTPD to connect to SQL via UNIX socket
Message-ID: <CAA05CXr3GuKTu+49fuua7UCNTSVEo+-dxgF-jc5XAWWrrzHV6Q@mail.gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

I haven't found any existing SELinux configuration that would allow HTTPD
to connect to MySQL via a UNIX socket. We have created a custom policy that
allows this connection, but I want to make sure that we aren't "reinventing
the wheel."

1. Is there an existing combination of booleans and/or contexts that would
allow HTTPD to connect to a local UNIX socket?
2. If not, do you have any feedback on our custom policy (included at the
end of this message)?

To be specific, I have a CentOS 7 instance that is running Apache and Cloud
SQL Proxy on Google Compute Engine. Apache connects to the proxy via a UNIX
socket on localhost, and the proxy connects to Google Cloud SQL. I know
that the proxy is able to connect to Cloud SQL, but Apache is denied from
connecting to the proxy on the UNIX socket. The error message is:

type=SYSCALL msg=audit(1477499164.189:16817): arch=c000003e syscall=42
success=no exit=-13 a0=b a1=7ffdb42bef20 a2=32 a3=4 items=0 ppid=6868
pid=7394 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48
sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd"
exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1477499164.189:16817): avc:  denied  { write } for
 pid=7394 comm="httpd" name="REDACTED" dev="sda1" ino=17918851
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:default_t:s0 tclass=sock_file


The custom policy:

## Start httpdsockpolicy.te

module httpdsockpolicy 1.0;

require {
        type httpd_t;
        type default_t;
        class sock_file write;
}

#============= httpd_t ==============
allow httpd_t default_t:sock_file write;

# End httpdsockpolicy.te

-- 
Craig Finch
Principal Consultant
Rootwork InfoTech LLC
Direct Phone: 321.209.8088
Rootwork Phone: 321.209.2447
www.rootwork.it
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20161026/f9055c90/attachment.html